SQL Injection

web HIGH

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements.

How It Works

SQL injection exploits the way applications construct database queries by mixing user input directly into SQL statements. When developers concatenate untrusted data into queries without proper sanitization, attackers can inject SQL syntax that changes the query's logic. For example, entering ' OR '1'='1 into a login form might transform SELECT * FROM users WHERE username='input' into a query that always returns true, bypassing authentication.

Attackers follow a methodical process: first probing input fields with special characters like quotes or semicolons to trigger database errors, then identifying whether the application is vulnerable. Once confirmed, they escalate by injecting commands to extract data (UNION-based attacks to merge results from other tables), manipulate records, or probe the database structure. Blind SQL injection variants work without visible error messages—boolean-based attacks infer data by observing application behavior changes, while time-based attacks use database sleep functions to confirm successful injection through response delays.

Advanced scenarios include second-order injection, where malicious input is stored in the database and later executed in a different context, and out-of-band attacks that exfiltrate data through DNS queries or HTTP requests when direct data retrieval isn't possible. Some database systems enable attackers to execute operating system commands through built-in functions like MySQL's LOAD_FILE or SQL Server's xp_cmdshell, escalating from database compromise to full server control.

Impact

  • Complete data breach — extraction of entire database contents including credentials, personal information, and proprietary data
  • Authentication bypass — logging in as any user without knowing passwords
  • Data manipulation — unauthorized modification or deletion of critical records
  • Privilege escalation — granting administrative rights to attacker-controlled accounts
  • Remote code execution — leveraging database features to run operating system commands and compromise the underlying server
  • Lateral movement — using compromised database credentials to access other connected systems

Real-World Examples

FreePBX's CVE-2025-66039 demonstrated a complete attack chain where SQL injection across 11 parameters in four different endpoints allowed attackers to write malicious entries into the cron_jobs table. When the system's scheduler executed these entries, the injected SQL transformed into operating system commands, granting full server control. The vulnerability required no authentication, making it immediately exploitable.

E-commerce platforms have suffered massive breaches through shopping cart SQL injection, where attackers inserted skimming code into stored procedures that executed during checkout, harvesting credit card data from thousands of transactions. Healthcare systems have been compromised through patient portal vulnerabilities, exposing millions of medical records when attackers injected UNION queries to merge data from supposedly isolated tables.

Mitigation

  • Parameterized queries (prepared statements) — separates SQL logic from data, making injection syntactically impossible
  • Object-Relational Mapping (ORM) frameworks — abstracts database interactions with built-in protections when used correctly
  • Strict input validation — whitelist acceptable characters and formats, reject suspicious patterns
  • Least privilege database accounts — applications should use credentials with minimal necessary permissions
  • Web Application Firewall (WAF) — detects and blocks common injection patterns as a secondary defense layer
  • Database activity monitoring — alerts on unusual query patterns or privilege escalation attempts

Recent CVEs (4653)

CVE-2024-0485
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability, which was classified as critical, was found in code-projects Fighting Cock Information System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Fighting Cock Information System
NVD GitHub VulDB
CVE-2024-0484
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability, which was classified as critical, has been found in code-projects Fighting Cock Information System 1.0.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Fighting Cock Information System
NVD GitHub VulDB
CVE-2024-0483
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability classified as critical was found in Taokeyun up to 1.0.5. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Taokeyun
NVD VulDB
CVE-2024-0482
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability classified as critical has been found in Taokeyun up to 1.0.5. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Taokeyun
NVD VulDB
CVE-2024-0481
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in Taokeyun up to 1.0.5. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Taokeyun
NVD VulDB
CVE-2024-0480
EPSS 0% CVSS 7.3
HIGH This Month

A vulnerability was found in Taokeyun up to 1.0.5. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Taokeyun
NVD VulDB
CVE-2024-0479
EPSS 0% CVSS 7.3
HIGH This Month

A vulnerability was found in Taokeyun up to 1.0.5. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Taokeyun
NVD VulDB
CVE-2024-0478
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in code-projects Fighting Cock Information System 1.0 and classified as critical.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Fighting Cock Information System
NVD GitHub VulDB
CVE-2024-0477
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability has been found in code-projects Fighting Cock Information System 1.0 and classified as critical. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Fighting Cock Information System
NVD GitHub VulDB
CVE-2024-0475
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability, which was classified as critical, has been found in code-projects Dormitory Management System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Dormitory Management System
NVD GitHub VulDB
CVE-2024-0474
EPSS 0% CVSS 7.3
HIGH This Month

A vulnerability classified as critical was found in code-projects Dormitory Management System 1.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Dormitory Management System
NVD GitHub VulDB
CVE-2024-0473
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability classified as critical has been found in code-projects Dormitory Management System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Dormitory Management System
NVD GitHub VulDB
CVE-2024-0471
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in code-projects Human Resource Integrated System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Human Resource Integrated System
NVD GitHub VulDB
CVE-2024-0470
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in code-projects Human Resource Integrated System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Human Resource Integrated System
NVD GitHub VulDB
CVE-2024-0469
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in code-projects Human Resource Integrated System 1.0 and classified as critical. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Human Resource Integrated System
NVD GitHub VulDB
CVE-2024-0466
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability, which was classified as critical, has been found in code-projects Employee Profile Management System 1.0.php. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

PHP SQLi Employee Profile Management System
NVD GitHub VulDB
CVE-2024-0464
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability classified as critical has been found in code-projects Online Faculty Clearance 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Online Faculty Clearance
NVD GitHub VulDB
CVE-2024-0463
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in code-projects Online Faculty Clearance 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Online Faculty Clearance System
NVD GitHub VulDB
CVE-2024-0462
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in code-projects Online Faculty Clearance 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Online Faculty Clearance System
NVD GitHub VulDB
CVE-2024-0461
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in code-projects Online Faculty Clearance 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Online Faculty Clearance System
NVD GitHub VulDB
CVE-2024-0460
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability was found in code-projects Faculty Management System 1.0 and classified as critical.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Faculty Management System
NVD GitHub VulDB
CVE-2024-0459
EPSS 0% CVSS 4.7
MEDIUM POC Monitor

A vulnerability has been found in Blood Bank & Donor Management 5.6 and classified as critical. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Blood Bank Donor Management System
NVD VulDB
CVE-2024-0426
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in ForU CMS up to 2020-06-23.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Foru Cms
NVD GitHub VulDB
CVE-2024-22196 Go
EPSS 1% CVSS 7.0
HIGH POC PATCH This Month

Nginx-UI is an online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Nginx SQLi +1
NVD GitHub
CVE-2024-0389
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in SourceCodester Student Attendance System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Student Attendance System
NVD VulDB
CVE-2024-0364
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability, which was classified as critical, was found in PHPGurukul Hospital Management System 1.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

PHP SQLi Hospital Management System
NVD GitHub VulDB
CVE-2024-0363
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in PHPGurukul Hospital Management System 1.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hospital Management System
NVD GitHub VulDB
CVE-2024-0362
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability classified as critical was found in PHPGurukul Hospital Management System 1.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hospital Management System
NVD GitHub VulDB
CVE-2024-0361
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul Hospital Management System 1.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hospital Management System
NVD GitHub VulDB
CVE-2024-0360
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in PHPGurukul Hospital Management System 1.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hospital Management System
NVD VulDB GitHub
CVE-2024-0359
EPSS 0% CVSS 7.3
HIGH POC This Month

A vulnerability was found in code-projects Simple Online Hotel Reservation System 1.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Simple Online Hotel Reservation System
NVD GitHub VulDB
CVE-2024-0357
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was found in coderd-repos Eva 1.0.0 and classified as critical. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

SQLi Eva
NVD GitHub VulDB
CVE-2024-0355
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in PHPGurukul Dairy Farm Shop Management System up to 1.1. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Dairy Farm Shop Management System
NVD VulDB
CVE-2024-0344
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability, which was classified as critical, has been found in soxft TimeMail up to 1.1. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

PHP SQLi Timemail
NVD VulDB
CVE-2024-0342
EPSS 0% CVSS 6.3
MEDIUM This Month

A vulnerability classified as critical has been found in Inis up to 2.0.1. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Inis
NVD VulDB
CVE-2024-21747
EPSS 0% CVSS 7.6
HIGH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM &. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi Wp Erp
NVD
CVE-2024-0307
EPSS 0% CVSS 7.3
HIGH POC This Month

A vulnerability was found in Kashipara Dynamic Lab Management System up to 1.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Dynamic Lab Management System
NVD GitHub VulDB
CVE-2024-0306
EPSS 0% CVSS 7.3
HIGH POC This Month

A vulnerability was found in Kashipara Dynamic Lab Management System up to 1.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Dynamic Lab Management System
NVD GitHub VulDB
CVE-2024-0301
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability classified as critical was found in fhs-opensource iparking 1.5.22.RELEASE. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SQLi Iparking
NVD GitHub VulDB
CVE-2024-0290
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Kashipara Food Management System 1.0.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0289
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability classified as critical was found in Kashipara Food Management System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0288
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability classified as critical has been found in Kashipara Food Management System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0287
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability was found in Kashipara Food Management System 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0281
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability was found in Kashipara Food Management System up to 1.0 and classified as critical. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0280
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability has been found in Kashipara Food Management System up to 1.0 and classified as critical. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0279
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in Kashipara Food Management System up to 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0278
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Kashipara Food Management System up to 1.0.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0277
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability classified as critical was found in Kashipara Food Management System up to 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0276
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability classified as critical has been found in Kashipara Food Management System up to 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0275
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability was found in Kashipara Food Management System up to 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0274
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability was found in Kashipara Food Management System up to 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0273
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability was found in Kashipara Food Management System up to 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0272
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability was found in Kashipara Food Management System up to 1.0 and classified as critical.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0271
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability has been found in Kashipara Food Management System up to 1.0 and classified as critical. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0270
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in Kashipara Food Management System up to 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Food Management System
NVD GitHub VulDB
CVE-2024-0268
EPSS 0% CVSS 7.3
HIGH This Month

A vulnerability, which was classified as critical, has been found in Kashipara Hospital Management System up to 1.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Hospital Management System
NVD GitHub VulDB
CVE-2024-0267
EPSS 0% CVSS 7.3
HIGH This Month

A vulnerability classified as critical was found in Kashipara Hospital Management System up to 1.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Hospital Management System
NVD GitHub VulDB
CVE-2024-0247
EPSS 0% CVSS 7.3
HIGH POC This Week

A vulnerability classified as critical was found in CodeAstro Online Food Ordering System 1.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD VulDB
CVE-2024-0182
EPSS 0% CVSS 7.3
HIGH This Month

A vulnerability was found in SourceCodester Engineers Online Portal 1.0 and classified as critical. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Engineers Online Portal
NVD VulDB
CVE-2023-2075
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A SQL injection vulnerability exists in Campcodes Online Traffic Offense Management System version 1.0, specifically in the /admin/offenses/view_details.php file where the 'id' parameter is improperly sanitized. An authenticated attacker with low privileges can exploit this remotely without user interaction to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. A public proof-of-concept has been disclosed, though the EPSS score of 0.07% (20th percentile) suggests real-world exploitation remains relatively unlikely despite the theoretical severity.

SQLi PHP Online Traffic Offense Management System
NVD GitHub VulDB
CVE-2023-2074
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A SQL injection vulnerability exists in Campcodes Online Traffic Offense Management System version 1.0 within the /classes/Master.php file, where the 'id' parameter is not properly sanitized, allowing authenticated attackers to execute arbitrary SQL queries remotely. An attacker with valid credentials can leverage this vulnerability to read, modify, or delete database contents, potentially compromising sensitive traffic offense records. Public proof-of-concept code is available, increasing real-world exploitation risk.

SQLi PHP Online Traffic Offense Management System
NVD GitHub VulDB
CVE-2023-2073
EPSS 0% CVSS 7.3
HIGH POC This Week

A critical SQL injection vulnerability exists in the Login.php file of Campcodes Online Traffic Offense Management System 1.0, specifically in the password parameter handling. The vulnerability allows remote attackers to bypass authentication and manipulate database queries without requiring any privileges or user interaction. A public proof-of-concept exploit is available on GitHub, though the EPSS score of 0.07% (20th percentile) suggests relatively low observed exploitation activity in the wild.

SQLi PHP Authentication Bypass +1
NVD GitHub VulDB
CVE-2006-5840
EPSS 3% CVSS 7.5
HIGH POC This Week

SQL injection vulnerability affecting Abarcar Realty Portal versions 5.1.5 and 6.0.1, allowing unauthenticated remote attackers to execute arbitrary SQL commands via the 'neid' parameter in newsdetails.php. With a publicly available proof-of-concept exploit and a high EPSS score of 2.69% (86th percentile), this vulnerability poses significant risk despite vendor claims that slistl.php/slid never existed and current versions only generate static pages.

SQLi PHP Abarcar Realty Portal
NVD VulDB
Prev Page 52 of 52

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
4653

Related CWEs

MITRE ATT&CK

References

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy