SQL Injection Vulnerability in SourceCodester Simple Invoice Generator System
CVE-2024-8560

8.8HIGH

Key Information:

Vendor
Sourcecodester
Status
Simple Invoice Generator System
Vendor
CVE Published:
7 September 2024

Summary

A significant SQL injection vulnerability has been identified in the SourceCodester Simple Invoice Generator System version 1.0. This vulnerability arises from improper validation of input parameters within the '/save_invoice.php' file, specifically in the handling of invoice-related fields such as invoice_code, customer, cashier, total_amount, discount_percentage, discount_amount, and tendered_amount. Malicious actors can exploit this vulnerability to execute arbitrary SQL commands, potentially allowing unauthorized access to sensitive data or manipulation of the underlying database. The vulnerability can be exploited remotely, raising serious security concerns for users of the product. Prompt action is advised to mitigate the risks associated with this critical security flaw.

Affected Version(s)

Simple Invoice Generator System 1.0

References

https://vuldb.com/?id.276780
vdb-entrytechnical-description
https://vuldb.com/?ctiid.276780
signaturepermissions-required
https://vuldb.com/?submit.403629
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Delvy (VulDB User)
.