CVE-2026-36941
SQL Injection in Sourcecodester ORM System Allows Data Manipulation
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | online_resort_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Online Resort Management System v1.0 by Sourcecodester has an SQL injection vulnerability in the file /orms/admin/rooms/manage_room.php.
This vulnerability exists in the 'id' parameter of the URL, which allows an attacker to manipulate the input to execute arbitrary SQL queries on the database.
For example, an attacker can use a specially crafted payload to union-select data from the database, such as the database name, thereby leaking sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Online Resort Management System v1.0 allows unauthorized attackers to execute arbitrary SQL queries and potentially disclose sensitive database information. Such unauthorized data disclosure can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.
Therefore, this vulnerability could negatively impact compliance with common standards and regulations by exposing sensitive data and failing to ensure adequate security controls.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in the file /orms/admin/rooms/manage_room.php, immediate steps include:
- Restrict access to the vulnerable admin module to trusted users only.
- Apply input validation and sanitization on the 'id' parameter to prevent malicious SQL code execution.
- Use prepared statements or parameterized queries in the PHP code to handle database queries safely.
- Monitor and review logs for suspicious activity related to the 'id' parameter in the URL.
- If possible, temporarily disable or restrict the vulnerable functionality until a patch or fix is applied.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow an attacker to execute arbitrary SQL commands on the backend database.
- Unauthorized disclosure of sensitive data stored in the database.
- Potential modification or deletion of database records.
- Compromise of the integrity and confidentiality of the system's data.
- Possible further exploitation leading to full system compromise depending on the database and system configuration.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the `id` parameter in the URL `/orms/admin/rooms/manage_room.php?id=` for SQL injection payloads.
A common detection method is to send a specially crafted HTTP request that attempts to manipulate the SQL query, such as using a UNION SELECT statement to extract database information.
An example command using curl to test the vulnerability is:
- curl -i "http://<target>/orms/admin/rooms/manage_room.php?id=-1' union select 1,database(),3,4,5,6,7,8,9,10--+" -b PHPSESSID=<session_id>
This command sends a request with the SQL injection payload in the `id` parameter and includes the PHPSESSID cookie to maintain session context.