SourceCodester Free and Open Source Inventory Management System search_sales_report.php sql injection
Description
A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /app/ajax/search_sales_report.php. The manipulation of the argument customer leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254861 was assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in SourceCodester Free and Open Source Inventory Management System 1.0 allowing remote unauthenticated attackers to manipulate database queries via the customer parameter.
Vulnerability
A critical SQL injection vulnerability exists in SourceCodester Free and Open Source Inventory Management System version 1.0. The flaw is located in the file /app/ajax/search_sales_report.php, where the customer parameter is not properly sanitized before being used in SQL queries. This allows an attacker to inject arbitrary SQL commands. The vulnerability can be exploited remotely without authentication. The software is available from SourceCodester as described in [1].
Exploitation
An attacker can send a crafted POST request to /app/ajax/search_sales_report.php with a maliciously crafted customer parameter. A proof-of-concept (PoC) has been publicly disclosed [1], showing the use of a UNION-based SQL injection payload: customer=-9350 UNION ALL SELECT 9630,9630,9630,9630,CONCAT(0x717a626b71,0x764248434c67444f4a7050646d6268436f486c7456587348744242525a66715147646b6369744a6c,0x717a767a71),9630,9630,9630,9630,9630,9630,9630,9630,9630#. The attack requires no prior authentication or user interaction, only network access to the application server.
Impact
Successful exploitation allows an attacker to read, modify, or delete arbitrary data from the database, potentially compromising the entire inventory management system. This can lead to information disclosure of sensitive records, data integrity issues, and in some cases, further compromise of the application or server depending on database permissions [1]. The CVSS score of 9.8 (Critical) reflects the ease of exploitation and high impact on confidentiality, integrity, and availability.
Mitigation
As of February 27, 2024, no official patch has been released by SourceCodester for version 1.0 [1]. Users are advised to sanitize user input for the customer parameter by using parameterized queries or prepared statements. Until a vendor-supplied fix is available, restricting network access to the affected endpoint and validating input against a whitelist of allowed values may reduce risk. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.0+ 1 more
- (no CPE)range: = 1.0
- (no CPE)range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Free%20and%20Open%20Source%20inventory%20management%20system-SQLi.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.