CVE-2026-10808
Description
SQL injection vulnerability in itsourcecode Fees Management System 1.0 allows authenticated attackers to access or modify sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in itsourcecode Fees Management System 1.0 allows authenticated attackers to access or modify sensitive data.
Vulnerability
A SQL injection vulnerability exists in the /manage_student.php file of the itsourcecode Fees Management System version 1.0. The issue stems from the improper sanitization of the id parameter, which allows for the injection of malicious SQL code [2].
Exploitation
Exploitation requires authentication or prior access to the system. An attacker can manipulate the id parameter in the /manage_student.php file to inject malicious SQL queries. Publicly available exploits might be used [1, 2].
Impact
Successful exploitation of this SQL injection vulnerability can lead to unauthorized database access, sensitive data leakage, data tampering, comprehensive system control, and service interruption [2].
Mitigation
Not yet disclosed in the available references. The vendor's homepage is available [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly sanitize or validate the 'id' parameter before using it in SQL queries."
Attack vector
An attacker must first log in with valid credentials to access the system. Once authenticated, the attacker can manipulate the 'id' parameter in the `/manage_student.php` file. By injecting malicious SQL code into this parameter, the attacker can alter the intended SQL query. This allows for remote exploitation of the vulnerability, potentially leading to unauthorized database access or data manipulation [ref_id=1].
Affected code
The vulnerability resides in the `/manage_student.php` file, specifically concerning the manipulation of the 'id' parameter. The issue arises because this input is not adequately sanitized before being incorporated into SQL queries [ref_id=1].
What the fix does
The advisory suggests using Prepared Statements and Parameter Binding to prevent SQL injection, as this method treats user input as data rather than executable SQL code. Additionally, it recommends strict input validation and filtering to ensure data conforms to expected formats, such as numeric patterns for IDs. Minimizing database user permissions and conducting regular security audits are also advised remediation steps [ref_id=1]. The patch does not show specific code changes, but these measures would prevent the 'id' parameter from being interpreted as SQL.
Preconditions
- authExploitation requires authentication or prior access to the system.
- inputThe 'id' parameter is manipulated with malicious SQL code.
Reproduction
python sqlmap.py --random-agent --batch -u "http://154.219.114.125:1201/manage_student.php?id=1" --dbms=mysql --current-db --level 2 [ref_id=1]
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Itsourcecode Fees Management System: Three Medium-Severity Flaws Disclosed TogetherVypr Intelligence · Jun 4, 2026