Restaurant Website Php Mysql
Monthly
Unauthenticated access to the administrative AJAX endpoint in jairiidriss/restaurant-website-php-mysql exposes backend admin functions to any remote attacker without credentials. The /admin/ajax_files endpoint fails to enforce authentication (CWE-306), allowing manipulation of whatever administrative operations it services - likely CRUD operations on menu items, orders, or reservations. No CISA KEV listing exists, but a public proof-of-concept was published via GitHub issue #6, and the maintainer has not responded to disclosure, leaving all deployments up to commit 521428b5b612449df0cf4a5d15ee40cba67f3d35 unpatched.
Unauthenticated access to the administrative AJAX endpoint in jairiidriss/restaurant-website-php-mysql exposes backend admin functions to any remote attacker without credentials. The /admin/ajax_files endpoint fails to enforce authentication (CWE-306), allowing manipulation of whatever administrative operations it services - likely CRUD operations on menu items, orders, or reservations. No CISA KEV listing exists, but a public proof-of-concept was published via GitHub issue #6, and the maintainer has not responded to disclosure, leaving all deployments up to commit 521428b5b612449df0cf4a5d15ee40cba67f3d35 unpatched.