SourceCodester Simple Inventory System updateproduct.php sql injection
Description
A vulnerability was found in SourceCodester Simple Inventory System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file updateproduct.php. The manipulation of the argument ITEM leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-265084.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in `updateproduct.php` allows the `ITEM` POST parameter to be directly concatenated into a SQL UPDATE statement."
Attack vector
An attacker must first authenticate to the backend (e.g., with admin/admin credentials) to obtain a valid session cookie [ref_id=1]. The attacker then sends a POST request to `/updateproduct.php` with a malicious `ITEM` parameter; the parameter is unsafely interpolated into a SQL UPDATE statement, enabling time-based SQL injection [ref_id=1]. The attack is remotely exploitable over HTTP.
Affected code
The vulnerability resides in `updateproduct.php` [ref_id=1]. The `$_POST['ITEM']` parameter is directly concatenated into a SQL UPDATE statement without any sanitization or parameterization [ref_id=1].
What the fix does
No official patch has been published by the vendor. The advisory recommends using parameterized queries or prepared statements instead of directly concatenating user-supplied input into SQL statements [ref_id=1]. Developers should also apply input validation and escaping to the `ITEM` parameter before it reaches the database.
Preconditions
- authAttacker must have a valid backend session (e.g., logged in as admin/admin)
- networkAttacker must be able to send HTTP POST requests to the target server
- inputThe ITEM POST parameter is accepted without sanitization
Reproduction
1. Log in to the Simple Inventory System backend with admin/admin credentials to obtain a PHPSESSID cookie [ref_id=1]. 2. Save the following HTTP request as `1.txt`, replacing the Host and Cookie values as needed: `POST /updateproduct.php HTTP/1.1` with body `ITEM=1&itemnumber=11111` [ref_id=1]. 3. Run `sqlmap -r 1.txt --batch --current-db` to extract database contents via time-based injection [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/rockersiyuan/CVE/blob/main/SourceCodester%20Simple%20Inventory%20System%20Sql%20Inject-4.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.