CVE-2026-12131
Description
SQL injection in CodeAstro HRMS 1.0's Payroll Invoice module allows remote attackers to extract sensitive payroll and employee data via the ID parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in CodeAstro HRMS 1.0's Payroll Invoice module allows remote attackers to extract sensitive payroll and employee data via the ID parameter.
Vulnerability
A SQL injection vulnerability exists in the Invoice() function of Payroll.php in CodeAstro Human Resource Management System version 1.0. The function retrieves the Id parameter from a GET request via $this->input->get('Id') and passes it unsanitized to $this->payroll_model->getAllSalaryDataById($id). Inside the model layer, the input is embedded directly into a dynamically constructed SQL query without parameterization or escaping, allowing an attacker to inject arbitrary SQL commands. The affected endpoint is /hrsystem/payroll/invoice?Id={value}&em={value}. [1]
Exploitation
The vulnerability can be exploited remotely without authentication. An attacker sends a crafted HTTP request to the vulnerable endpoint, manipulating the Id parameter with a SQL injection payload (e.g., appending a single quote). This causes the database to return an error, confirming the injection point. The attacker can then extract data by injecting UNION-based or error-based queries. [1]
Impact
Successful exploitation leads to information disclosure. The attacker can extract sensitive payroll and employee records from the database, including financial data. No evidence of write access or remote code execution is provided in the references. [1]
Mitigation
As of the publication date, no official patch has been released by CodeAstro [2]. The application uses CodeIgniter, which supports prepared statements and query builder methods; developers should replace all dynamic queries with parameterized statements or use CodeIgniter’s built-in query builder to prevent SQL injection. Until a fix is available, restricting network access to the /hrsystem/payroll/ endpoint and input validation of the Id parameter are recommended workarounds. [1][2]
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unsafe dynamic query construction in getAllSalaryDataById() embeds user-supplied Id input directly into SQL statements without parameterization or input validation."
Attack vector
The attacker sends a crafted HTTP GET request to the /hrsystem/payroll/invoice endpoint, manipulating the Id parameter with SQL payloads such as 6' to break the query and trigger database errors [ref_id=1]. This allows exploitation via boolean-based, error-based, UNION query-based, and time-based blind SQL injection techniques [ref_id=1]. No authentication is mentioned as a barrier beyond the requirement to reach the payroll invoice endpoint, making remote exploitation possible with low privileges [ref_id=1].
Affected code
The vulnerable function is Invoice() in Payroll.php, located at application/controllers/Payroll.php. The Id parameter from the GET request is passed directly to getAllSalaryDataById() in the model layer without sanitization or parameterization, allowing dynamic SQL query construction [ref_id=1].
What the fix does
The fix replaces direct SQL concatenation with CodeIgniter's query builder (e.g., $this->db->where('pay_id', $id)) or prepared statements using bound parameters, preventing user input from being interpreted as SQL code [ref_id=1]. Additionally, the controller should cast the Id parameter to an integer to enforce numeric type validation before it reaches the model layer [ref_id=1].
Preconditions
- networkThe attacker must have network access to the HR system application and the ability to send crafted GET requests to the /hrsystem/payroll/invoice endpoint.
- configThe application must include the unpatched Invoice() function in Payroll.php that directly concatenates user input into SQL queries.
- inputThe attacker must supply a malicious Id parameter value (e.g., containing SQL metacharacters) via the GET request.
Reproduction
The public PoC sends a request such as: http://192.168.1.37/hrsystem/payroll/invoice?Id=6'&em=Den1745, which triggers a database error confirming SQL injection [ref_id=1]. Further exploitation using sqlmap confirms the Id parameter is injectable via boolean-based, error-based, UNION query-based, and time-based blind techniques [ref_id=1].
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.