CVE-2026-10155
Description
A vulnerability was found in Bdtask Multi-Store Inventory Management System 1.0. The impacted element is the function accounts_report_search of the file application/modules/accounts/controllers/Accounts.php of the component Accounts Report Handler. Performing a manipulation of the argument dtpToDate results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection via `dtpToDate` parameter in Bdtask Multi-Store Inventory Management System 1.0 allows admin attackers to extract sensitive data from the database.
Vulnerability
A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System version 1.0, specifically in the accounts_report_search() function of the file application/modules/accounts/controllers/Accounts.php [1]. The dtpToDate POST argument is directly concatenated into an SQL query using CodeIgniter's Query Builder where() method without parameterization, enabling injection of arbitrary SQL statements [1]. The affected component is the Accounts Report Handler [1].
Exploitation
An attacker must first authenticate with an admin-level account [1]. After logging in, the attacker navigates to Accounts → Account Reports → General Ledger, selects a GL Head, and sets the "To Date" field to a crafted payload, such as a UNION-based injection string [1]. No special tools are required; the attack can be performed directly from a browser [1]. The dtpToDate parameter is submitted via POST and injected into the SQL query without sanitization [1].
Impact
A successful exploit allows the attacker to extract sensitive data from the database, including admin email addresses and MD5 password hashes from the user table [1]. This compromises the confidentiality of user credentials and could lead to further account compromise. The CVSS v3 score given in the reference is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N), indicating high impacts on confidentiality and integrity [1].
Mitigation
The vendor, Bdtask, has not released a patched version as of the publication date [1]. The software version 1.0 is affected and no official fix or workaround is provided in the available references. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should restrict admin account access and apply input validation or parameterized queries to the dtpToDate parameter until a vendor-supplied update is available [1].
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.0+ 1 more
- (no CPE)range: = 1.0
- (no CPE)range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct string interpolation of user-controlled input into a SQL query via CodeIgniter's Query Builder where() method without parameterization."
Attack vector
An authenticated admin attacker sends a crafted POST request to `/accounts/accounts/accounts_report_search` with a malicious `dtpToDate` value. The payload `2099-01-01" UNION SELECT ... FROM user ...` exploits the unsanitized string interpolation to extract admin email and MD5 password hashes from the `user` table [ref_id=1]. The attack is remote, requires admin-level privileges, and no special tools beyond a browser are needed [ref_id=1].
Affected code
The vulnerability resides in `application/modules/accounts/controllers/Accounts.php` within the `accounts_report_search()` function. The `dtpToDate` POST parameter is directly interpolated into a SQL query via CodeIgniter's Query Builder `where()` method without parameterization, as shown in the simplified `Accounts_model.php` snippet: `$this->db->where('VDate BETWEEN "'.$dtpFromDate.'" and "'.$dtpToDate.'"')` [ref_id=1].
What the fix does
The advisory does not include a published patch. The root cause is direct string concatenation of user input into the SQL query's `WHERE` clause. To fix the vulnerability, the application must use parameterized queries (prepared statements) or properly escape the `dtpFromDate` and `dtpToDate` parameters before passing them to CodeIgniter's Query Builder, ensuring user input is never directly interpolated into SQL strings [ref_id=1].
Preconditions
- authAttacker must have a valid admin-level session cookie
- inputAttacker must send a POST request to the vulnerable endpoint with a crafted dtpToDate parameter
- networkApplication must be reachable over the network
Reproduction
1. Log in with an admin account on a local installation of Multi-Store Inventory Management System v1.0. 2. Navigate to Accounts → Account Reports → General Ledger. 3. Select any GL Head from the dropdown, leave Transaction Head blank, set From Date to `2000-01-01`, and set To Date to `2099-01-01" UNION SELECT email COLLATE utf8_unicode_ci,0,0,password COLLATE utf8_unicode_ci,0,0,0 FROM user LEFT JOIN acc_transaction ON 0=1 WHERE "1"="1`. 4. Click Search; the report table will display admin email and MD5 password hash from the user table [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.