CVE-2026-10253
Description
Unauthenticated SQL injection in itsourcecode Online House Rental System 1.0 via the id parameter in /manage_payment.php allows attackers to execute arbitrary SQL queries remotely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in itsourcecode Online House Rental System 1.0 via the `id` parameter in `/manage_payment.php` allows attackers to execute arbitrary SQL queries remotely.
Vulnerability
The vulnerability resides in the /manage_payment.php file of itsourcecode Online House Rental System version 1.0 [1]. The id parameter passed via GET request is directly concatenated into SQL queries without proper sanitization or parameterized queries, as confirmed by the root cause analysis in the public disclosure [2]. No authentication is required to reach this endpoint [2].
Exploitation
An attacker can exploit the vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint, for example: GET /house_rental/manage_payment.php?id=3 where the id parameter contains SQL injection payloads [2]. The public exploit code is available, and the attack can be launched remotely without prior authentication [2].
Impact
Successful exploitation allows an attacker to gain unauthorized access to the database, leading to sensitive data leakage, data tampering, and potentially full system compromise. The impact includes comprehensive control over the database and possible service interruption [2].
Mitigation
As of the publication date (2026-06-01), no official patch has been released by the vendor (Itsourcecode) [1]. The project appears to be a sample capstone project and may not receive updates. Users should apply input validation and use parameterized queries for all database interactions, or consider migrating to a maintained alternative [2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` parameter in `/manage_payment.php` is directly concatenated into SQL queries without input validation or sanitization, allowing SQL injection."
Attack vector
An unauthenticated attacker sends a crafted GET request to `/manage_payment.php` with a malicious `id` parameter. The payload is directly interpolated into SQL queries, enabling boolean-based blind, error-based, time-based blind, and UNION query injection techniques [ref_id=1]. No login or authorization is required, and the attack can be launched remotely.
Affected code
The vulnerability exists in the file `/manage_payment.php` of the Online House Rental System V1.0. The `id` GET parameter is directly used in SQL queries without sanitization or validation, allowing SQL injection.
What the fix does
The advisory recommends using prepared statements and parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and regular security audits [ref_id=1]. No patch has been published by the vendor.
Preconditions
- authNo authentication or authorization required
- networkAttacker must be able to send HTTP GET requests to the vulnerable endpoint
- inputThe id parameter is accepted without sanitization
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.