Multi Vendor Online Grocery Management System
Monthly
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a remote low-privileged attacker to manipulate database queries via the `ID` POST parameter in the `cancel_order` function of `classes/Master.php`. The flaw is a classic CWE-89 unsanitized parameter passed directly into a SQL statement, enabling data extraction, modification, or potential authentication bypass within the application database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references), raising the practical risk beyond the conservative CVSS 4.0 base score of 2.1.
Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System versions 1.0 and 5.7.26 allows remote authenticated attackers to manipulate backend database queries through unsanitized POST parameters passed to the `save_shop_type` function in `classes/Master.php`. A public proof-of-concept exploit is available via GitHub, lowering the exploitation barrier for any actor who has obtained application credentials. The CVSS 4.0 score of 2.1 reflects partial confidentiality, integrity, and availability impact rather than full database compromise, and no patch has been confirmed available at time of analysis.
Code injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote low-privileged attackers to execute arbitrary PHP code by manipulating the `content[]` argument passed to the `update_settings_info` function in `classes/SystemSettings.php`. A public proof-of-concept exploit has been disclosed on GitHub, and exploitation requires only a low-privileged authenticated session over the network. No CISA KEV listing exists, but the public exploit materially lowers the barrier for opportunistic attacks against any internet-exposed instance.
Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a remote low-privileged attacker to manipulate database queries via the `ID` POST parameter in the `cancel_order` function of `classes/Master.php`. The flaw is a classic CWE-89 unsanitized parameter passed directly into a SQL statement, enabling data extraction, modification, or potential authentication bypass within the application database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references), raising the practical risk beyond the conservative CVSS 4.0 base score of 2.1.
Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System versions 1.0 and 5.7.26 allows remote authenticated attackers to manipulate backend database queries through unsanitized POST parameters passed to the `save_shop_type` function in `classes/Master.php`. A public proof-of-concept exploit is available via GitHub, lowering the exploitation barrier for any actor who has obtained application credentials. The CVSS 4.0 score of 2.1 reflects partial confidentiality, integrity, and availability impact rather than full database compromise, and no patch has been confirmed available at time of analysis.
Code injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote low-privileged attackers to execute arbitrary PHP code by manipulating the `content[]` argument passed to the `update_settings_info` function in `classes/SystemSettings.php`. A public proof-of-concept exploit has been disclosed on GitHub, and exploitation requires only a low-privileged authenticated session over the network. No CISA KEV listing exists, but the public exploit materially lowers the barrier for opportunistic attacks against any internet-exposed instance.
Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.