Simple Pos And Inventory System
Monthly
SQL injection in SourceCodester Simple POS and Inventory System 1.0 exposes the application to unauthenticated remote data extraction and manipulation via the Name parameter in /user/search.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and a publicly available proof-of-concept exploit (GitHub gist) lowers the bar for exploitation. No active exploitation has been confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) indicates limited real-world exploitation activity at time of analysis despite the public POC.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows remote authenticated administrators to manipulate database queries via the ID parameter in /admin/edit_customer.php. The vulnerability is tagged CWE-89 and carries a CVSS 4.0 base score of 2.0, reflecting the high privilege requirement that significantly limits the attacker pool to those with existing admin access. Publicly available exploit code exists (hosted on GitHub Gist), though EPSS remains very low at 0.03% (8th percentile), and no CISA KEV listing is present - indicating no confirmed widespread exploitation at time of analysis.
Unrestricted file upload in SourceCodester Simple POS and Inventory System 1.0 allows authenticated remote attackers to upload arbitrary files through the image argument of /admin/addproduct.php, potentially enabling web shell deployment and remote code execution. A publicly available proof-of-concept exploit exists (GitHub gist), and SSVC confirms exploitation: poc status. Despite the severe nature of CWE-434 unrestricted upload flaws, EPSS sits at 0.04% (11th percentile) and CISA has not added this to KEV, indicating limited observed exploitation in the wild at time of analysis.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows a remote, high-privileged (admin-level) attacker to manipulate database queries via the unsanitized 'ID' GET parameter in /admin/deleteproduct.php. Successful exploitation yields partial read, write, and availability impact on the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though no confirmed active exploitation (KEV) has been observed, and the EPSS score of 0.03% reflects minimal real-world exploitation pressure.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 exposes the application to unauthenticated remote data extraction and manipulation via the Name parameter in /user/search.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and a publicly available proof-of-concept exploit (GitHub gist) lowers the bar for exploitation. No active exploitation has been confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) indicates limited real-world exploitation activity at time of analysis despite the public POC.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows remote authenticated administrators to manipulate database queries via the ID parameter in /admin/edit_customer.php. The vulnerability is tagged CWE-89 and carries a CVSS 4.0 base score of 2.0, reflecting the high privilege requirement that significantly limits the attacker pool to those with existing admin access. Publicly available exploit code exists (hosted on GitHub Gist), though EPSS remains very low at 0.03% (8th percentile), and no CISA KEV listing is present - indicating no confirmed widespread exploitation at time of analysis.
Unrestricted file upload in SourceCodester Simple POS and Inventory System 1.0 allows authenticated remote attackers to upload arbitrary files through the image argument of /admin/addproduct.php, potentially enabling web shell deployment and remote code execution. A publicly available proof-of-concept exploit exists (GitHub gist), and SSVC confirms exploitation: poc status. Despite the severe nature of CWE-434 unrestricted upload flaws, EPSS sits at 0.04% (11th percentile) and CISA has not added this to KEV, indicating limited observed exploitation in the wild at time of analysis.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows a remote, high-privileged (admin-level) attacker to manipulate database queries via the unsanitized 'ID' GET parameter in /admin/deleteproduct.php. Successful exploitation yields partial read, write, and availability impact on the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though no confirmed active exploitation (KEV) has been observed, and the EPSS score of 0.03% reflects minimal real-world exploitation pressure.