SourceCodester Simple Inventory System tableedit.php sql injection
Description
A vulnerability was found in SourceCodester Simple Inventory System 1.0. It has been classified as critical. This affects an unknown part of the file tableedit.php. The manipulation of the argument from/to leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-265083.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in tableedit.php allows the `from` POST parameter to be directly concatenated into a SQL UPDATE statement."
Attack vector
An attacker must first authenticate to the Simple Inventory System backend (e.g., with admin/admin credentials) [ref_id=1]. Once logged in, they send a crafted POST request to `/tableedit.php` containing malicious values in the `from` (and optionally `to`) parameters. Because the input is unsanitized and directly embedded in a SQL UPDATE statement, the attacker can perform error-based SQL injection to extract arbitrary database contents [ref_id=1]. The attack is remotely exploitable over HTTP.
Affected code
The vulnerability is in `tableedit.php`. The `from` parameter, received via POST, is directly concatenated into a SQL UPDATE statement without any sanitization or parameterization [ref_id=1]. The `to` parameter may also be involved, as the exploit payload includes both `from` and `to` values.
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] identifies that the root cause is the lack of any security filtering on the `from` parameter before it is spliced into a SQL UPDATE statement. The recommended remediation would be to replace the dynamic string concatenation with prepared statements or parameterized queries, and to validate or escape all user-supplied input.
Preconditions
- authAttacker must have valid backend credentials (e.g., admin/admin) and an active session cookie.
- networkThe application must be reachable over the network.
- inputThe `from` (and optionally `to`) POST parameters must contain unsanitized user input.
Reproduction
1. Log in to the Simple Inventory System backend with credentials such as admin/admin. 2. Capture the session cookie (e.g., `PHPSESSID=ncbt63bs17glrou5b79l17ifm6`). 3. Save the following HTTP request as `1.txt`, replacing the Host and Cookie values as needed: ``` POST /tableedit.php HTTP/1.1 Host:
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/rockersiyuan/CVE/blob/main/SourceCodester%20Simple%20Inventory%20System%20Sql%20Inject-3.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.