yashpokharna2555 StudentManagementSystem success.php sql injection
Description
A weakness has been identified in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. The impacted element is an unknown function of the file /success.php. This manipulation of the argument User causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in StudentManagementSystem's success.php allows unauthenticated remote attackers to bypass login authentication.
Vulnerability
A SQL injection vulnerability exists in success.php of yashpokharna2555's StudentManagementSystem (rolling release, commit cb2f558d). The $_POST['user'] parameter is directly concatenated into a SQL query without sanitization or parameterization, affecting the admin table authentication logic [1][2]. The code path is reachable by any visitor to the application's login endpoint.
Exploitation
An attacker can achieve authentication bypass by sending a crafted POST request to /success.php with the user parameter containing a SQL comment sequence (e.g., admin@admin.com' #). No prior authentication, special network position, or user interaction is required. The request is trivially crafted using tools such as curl [2]. The server responds with a redirect to index.php, confirming a successful authenticated session without the correct password.
Impact
Successful exploitation allows an attacker to impersonate any user stored in the admin table — including the administrator — without knowing their password. The attacker gains full access to the Student Management System's administrative interface, which can lead to complete confidentiality, integrity, and availability compromise of student records and system configuration [1][2].
Mitigation
As of the publication date (2026-05-25), no patched version is available; the project uses a rolling release model and has not responded to the vulnerability report [1]. The only workaround is to implement prepared statements or input sanitization in success.php manually, or discontinue use of the software until a fix is released [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and lack of parameterized queries allow SQL injection via the `user` POST parameter in `/success.php`."
Attack vector
An attacker sends a POST request to `/success.php` with a crafted `user` parameter containing a SQL injection payload, such as `admin@admin.com' #` [ref_id=1]. The unsanitized input is concatenated into the SQL query, causing the `#` (comment) character to comment out the password check [ref_id=1]. The attacker can supply any value for the `pass` parameter, and the query still returns a valid row, allowing authentication bypass [ref_id=1]. The attack is remotely exploitable over HTTP with no prior authentication required [ref_id=1].
Affected code
The vulnerability is in `/success.php`, lines 6–10 [ref_id=1]. The `$_POST['user']` parameter is directly concatenated into a SQL query without sanitization or parameterization [ref_id=1]. The password is MD5-hashed, but the `user` field is used unsanitized, enabling injection [ref_id=1].
What the fix does
The advisory recommends using prepared statements (parameterized queries) to separate SQL logic from user input, e.g., `$stmt = $db->prepare("SELECT * FROM admin WHERE user = ? AND password = ?")` [ref_id=1]. It also suggests validating input (e.g., checking that `$user` matches an email format) as an additional defense layer [ref_id=1]. No official patch has been released by the project maintainer [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the /success.php endpoint.
- configThe database must be initialized with the provided init_db.sql script (default credentials present).
- authNo authentication is required before sending the malicious request.
- inputThe attacker supplies a crafted 'user' POST parameter containing SQL injection syntax.
Reproduction
1. Import the database: `mysql -u root -p
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/yashpokharna2555/StudentManagementSystem/issues/2mitreexploitissue-tracking
- vuldb.com/submit/813997mitrethird-party-advisory
- vuldb.com/vuln/365450mitrevdb-entrytechnical-description
- vuldb.com/vuln/365450/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.