CVE-2026-36942
SQL Injection in Sourcecodester Resort Management System Admin Module
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | online_resort_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Online Resort Management System v1.0 by Sourcecodester has an SQL injection vulnerability in the file /orms/admin/activities/manage_activity.php.
This vulnerability occurs at the URL parameter 'id' where an attacker can inject malicious SQL code.
For example, an attacker can use a payload like `/orms/admin/activities/manage_activity.php?id=-3' union select 1,database(),3,4,5,6,7,8--+` to execute arbitrary SQL queries.
This allows the attacker to retrieve sensitive information such as the current database name and potentially other data from the database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Sourcecodester Online Resort Management System v1.0 allows attackers to execute arbitrary SQL queries, which can lead to unauthorized access and leakage of sensitive data stored in the system's database.
Such unauthorized data access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.
Failure to secure against SQL injection vulnerabilities may result in violations of these regulations, leading to legal consequences, fines, and damage to organizational reputation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in the file /orms/admin/activities/manage_activity.php, immediate steps include validating and sanitizing the input parameter 'id' to prevent malicious SQL code execution.
Implement prepared statements or parameterized queries in the PHP code to safely handle user inputs.
Restrict database permissions to limit the impact of a potential SQL injection attack.
If possible, apply any available patches or updates from the software vendor or consider disabling the vulnerable functionality until a fix is applied.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow an attacker to execute arbitrary SQL queries on the database.
As a result, the attacker may be able to leak sensitive data, manipulate or delete data, and potentially compromise the entire system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the vulnerable URL parameter `id` in the file `/orms/admin/activities/manage_activity.php` for injection flaws.
A common detection method is to send specially crafted HTTP requests that include SQL injection payloads and observe the responses for unexpected data or errors.
- Example payload to test the vulnerability: `/orms/admin/activities/manage_activity.php?id=-3' union select 1,database(),3,4,5,6,7,8--+`
You can use command-line tools like curl to send this request and check if the response contains database information, indicating a successful injection.
- Example curl command: `curl 'http://<target>/orms/admin/activities/manage_activity.php?id=-3'%20union%20select%201,database(),3,4,5,6,7,8--+`