Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php.
AnalysisAI
SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/inquiries/view_details.php allows high-privileged authenticated administrators to extract limited data via crafted SQL queries. The vulnerability requires admin-level access and produces only confidentiality impact with minimal real-world exploitation likelihood (EPSS 0.02%, CVSS 2.7, SSVC framework indicates no practical exploitation path).
Technical ContextAI
The vulnerability is a classic SQL injection flaw (CWE-89) in a PHP-based management system. The vulnerable endpoint /rsms/admin/inquiries/view_details.php fails to properly sanitize or parameterize user input before constructing SQL queries. SQL injection occurs when untrusted input is concatenated directly into SQL statements, allowing attackers to modify query logic. In this case, the PHP application processes data through the admin inquiries module without adequate prepared statements or input validation, enabling an authenticated administrator to inject arbitrary SQL syntax to bypass intended query constraints and access unauthorized data.
RemediationAI
Implement parameterized SQL queries (prepared statements with placeholders) in /rsms/admin/inquiries/view_details.php to eliminate SQL injection. Replace all string concatenation in SQL construction with vendor-specific prepared statement syntax (mysqli prepared statements for PHP-MySQLi or PDO parameterized queries for database-agnostic code). Apply input validation to whitelist expected parameter formats and lengths. If an official patch is released by the vendor, upgrade to the patched version immediately. Until patching, restrict admin console access via network-level controls (IP whitelisting, VPN-only access) and enable comprehensive audit logging of all admin inquiries module activity to detect suspicious SQL patterns. Review the GitHub vulnerability report (https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/computer-and-mobile-repair-shop-management-system/SQL-4.md) for technical details and proof-of-concept examples to validate remediation effectiveness.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21966