CVE-2026-10297
Description
SQL injection in itsourcecode Fees Management System 1.0 allows remote attackers to access or modify data after authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in itsourcecode Fees Management System 1.0 allows remote attackers to access or modify data after authentication.
Vulnerability
A SQL injection vulnerability exists in the /manage_course.php file of the itsourcecode Fees Management System version 1.0. The vulnerability stems from the improper sanitization of the id parameter, which is used in SQL queries. This issue affects version 1.0 of the software [2].
Exploitation
An attacker must first authenticate and gain access to the system to exploit this vulnerability. Once authenticated, the attacker can manipulate the id parameter, typically via a GET request, to inject malicious SQL code. Proof-of-concept payloads demonstrate both boolean-based blind and UNION query injection techniques [2].
Impact
Successful exploitation of this SQL injection vulnerability can lead to unauthorized database access, sensitive data leakage, data tampering, and potentially full system control or service interruption. The attacker gains significant control over the system's data and operations [2].
Mitigation
No patched version or specific mitigation steps are disclosed in the available references. Users are advised to consult the vendor for potential solutions or workarounds. The vendor's homepage is available at [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly sanitize or validate the 'id' parameter before using it in SQL queries."
Attack vector
The vulnerability is in the `/manage_course.php` file and affects the 'id' parameter. Attackers can exploit this by manipulating the 'id' argument to inject malicious SQL code. This attack can be initiated remotely and requires authentication or prior access to the system [ref_id=1]. The exploit uses SQL injection techniques, such as boolean-based blind or UNION queries, to interact with the database [ref_id=1].
Affected code
The vulnerability resides in the `/manage_course.php` file, specifically within the handling of the 'id' parameter. The application fails to properly sanitize this input before incorporating it into SQL queries [ref_id=1].
What the fix does
The advisory suggests using Prepared Statements and Parameter Binding to prevent SQL injection, as this method treats user input as data rather than executable SQL code. Additionally, it recommends strict input validation and filtering to ensure user input conforms to expected formats, such as numeric patterns for IDs. Minimizing database user permissions and conducting regular security audits are also advised [ref_id=1]. The patch does not show specific code changes, but these measures would address the vulnerability.
Preconditions
- authExploitation requires authentication or prior access to the system [ref_id=1].
- inputThe 'id' parameter is manipulated to inject malicious SQL code [ref_id=1].
Reproduction
python sqlmap.py --random-agent --batch -u "http://154.219.114.125:1201/manage_course.php?id=1" --dbms=mysql --current-db [ref_id=1]
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.