SourceCodester Simple Inventory System updateprice.php sql injection
Description
A vulnerability was found in SourceCodester Simple Inventory System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file updateprice.php. The manipulation of the argument ITEM leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-265082 is the identifier assigned to this vulnerability.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in updateprice.php allows direct concatenation of the ITEM POST parameter into a SQL UPDATE statement."
Attack vector
An attacker must first authenticate to the backend (e.g., with admin/admin credentials) to obtain a valid session cookie. The attacker then sends a POST request to `/updateprice.php` with a crafted `ITEM` parameter. Because the parameter is unsanitized and directly embedded in a SQL UPDATE statement, the attacker can perform Boolean-based SQL injection to extract arbitrary database contents [ref_id=1].
Affected code
The vulnerability is in `updateprice.php`. The `$_POST['ITEM']` parameter is directly concatenated into a SQL UPDATE statement without any sanitization or parameterization [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory recommends using parameterized queries (prepared statements) or input sanitization to prevent direct concatenation of user-supplied `ITEM` values into SQL statements [ref_id=1].
Preconditions
- authAttacker must have a valid backend session (e.g., admin/admin login) to supply a session cookie.
- networkThe application must be reachable via HTTP POST to /updateprice.php.
- inputThe ITEM parameter is accepted without sanitization.
Reproduction
1. Log in to the Simple Inventory System backend (e.g., with admin/admin) and capture the session cookie. 2. Save the following request as `1.txt`, replacing the Cookie value with your session: `POST /updateprice.php HTTP/1.1` with body `ITEM=1&itemprice=123`. 3. Run `sqlmap -r 1.txt --batch --dbs` to automate Boolean-based SQL injection [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/rockersiyuan/CVE/blob/main/SourceCodester%20Simple%20Inventory%20System%20Sql%20Inject-2.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.