yashpokharna2555 StudentManagementSystem studentdel.php confirm_logged_in sql injection
Description
A vulnerability was found in yashpokharna2555 StudentManagementSystem up to cb2f558ddf8d19396de0f92abf2d224d46a0a203. Affected by this issue is the function confirm_logged_in of the file /studentdel.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in StudentManagementSystem's studentdel.php allows remote attackers to delete all student records.
Vulnerability
The vulnerability resides in the confirm_logged_in function within /studentdel.php of the yashpokharna2555/StudentManagementSystem project [1]. The $_GET['id'] parameter is directly concatenated into a DELETE SQL query without sanitization or parameterization, leading to SQL injection [2]. The affected code path is present in all versions up to commit cb2f558ddf8d19396de0f92abf2d224d46a0a203; the project operates on a rolling release basis with no explicit version numbers [1].
Exploitation
An attacker can exploit this vulnerability remotely without any authentication or prior knowledge [2]. The attack requires only a crafted GET request to studentdel.php with a malicious id parameter. For example, sending id=9999%20OR%201=1 causes the application to execute DELETE FROM ... WHERE id = 9999 OR 1=1, deleting every student record [2]. No cookies or session tokens are needed, and the attacker does not need to be logged in [2].
Impact
Successful exploitation results in complete deletion of all student records from the database, leading to total data loss and denial of service [2]. The application becomes unusable until the data is restored. An attacker could also selectively delete records to disrupt operations [2]. No privilege escalation is required; the action is performed as an unauthenticated user [2].
Mitigation
As of the publication date, no official fix has been released. The project maintainer was informed via an issue report but has not responded [2]. The only mitigation is to manually implement authentication checks (e.g., include session.php and call confirm_logged_in()) and use prepared statements or parameterized queries for the id parameter [2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- GitHub - yashpokharna2555/StudentManagementSystem: Student Management System is a project where all the large records can be easily handled in efficient manner. Technology used for this project are HTML, CSS, JavaScript, PHP, MySQL, SQL
- Unauthorised Arbitrary Data Deletion (IDOR + SQL Injection) in `studentdel.php`
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=cb2f558ddf8d19396de0f92abf2d224d46a0a203+ 1 more
- (no CPE)range: <=cb2f558ddf8d19396de0f92abf2d224d46a0a203
- (no CPE)range: <= cb2f558ddf8d19396de0f92abf2d224d46a0a203
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check and unsanitized string concatenation of user-supplied `id` parameter into a SQL DELETE query."
Attack vector
An unauthenticated attacker sends a GET request to `/studentdel.php` with a crafted `id` parameter. Because the endpoint performs no authentication check and concatenates the raw `id` value into a DELETE query, the attacker can inject SQL such as `9999 OR 1=1` to delete all student records [ref_id=1]. The attack requires only network access to the application and no cookies or credentials.
Affected code
The vulnerable function is `confirm_logged_in` in `/studentdel.php`, but the root issue is that this authentication check is never actually called. The file directly uses `$_GET['id']` in a DELETE SQL query via string concatenation around lines 19–21 [ref_id=1]. No session validation or input sanitization is present.
What the fix does
No patch has been published; the project was notified via an issue report but has not responded [ref_id=1]. The advisory recommends adding authentication by including `session.php` and calling `confirm_logged_in()` before processing the request, and replacing string concatenation with parameterized queries or prepared statements to prevent SQL injection [ref_id=1].
Preconditions
- networkThe application must be running and reachable over the network.
- authNo authentication or session is required; the attacker can be unauthenticated.
Reproduction
1. Ensure the application is running (e.g., at `http://127.0.0.1:8000`). 2. Without logging in, craft a malicious URL: `http://127.0.0.1:8000/studentdel.php?type=student&id=9999%20OR%201=1` 3. Open the URL in a browser or send a GET request (no cookies needed). 4. The application executes `DELETE FROM ... WHERE id = 9999 OR 1=1`, deleting every student record. 5. Observe the JavaScript alert "Successfully Deleted." and redirection to `student.php` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/yashpokharna2555/StudentManagementSystem/issues/5mitreexploitissue-tracking
- vuldb.com/submit/814004mitrethird-party-advisory
- vuldb.com/vuln/365455mitrevdb-entrytechnical-description
- vuldb.com/vuln/365455/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.