Compliance Impact

The SQL injection vulnerability in the Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized disclosure or manipulation of data within the backend database.

Such unauthorized access or data breaches can compromise the confidentiality and integrity of sensitive information, which may result in non-compliance with data protection regulations and standards like GDPR and HIPAA that require safeguarding personal and health-related data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-36943 is an SQL injection vulnerability found in the Sourcecodester Computer and Mobile Repair Shop Management System v1.0. It exists in the file /rsms/admin/repairs/manage_repair.php, specifically in the URL parameter 'id'.

An attacker can manipulate the 'id' parameter to inject malicious SQL code, such as using a UNION SELECT statement to extract sensitive information from the backend database named 'rsms_db'.

Useful 0 Not Useful 0

Impact Analysis

This SQL injection vulnerability allows an attacker to execute arbitrary SQL commands on the backend database.

• Unauthorized disclosure of sensitive data stored in the database.
• Manipulation or deletion of data within the 'rsms_db' database.
• Potential compromise of the integrity and confidentiality of the system's data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the SQL injection point in the URL parameter 'id' of the endpoint /rsms/admin/?page=repairs/manage_repair&id=.

A common detection method is to send a crafted HTTP request with a SQL injection payload and observe the response for database errors or unexpected data.

An example payload to test the vulnerability is:

• /rsms/admin/?page=repairs/manage_repair&id=0' union select 1,2,3,database(),5,6,7,8,9--+

You can use command-line tools like curl to send this request and check the response. For example:

• curl "http://[target]/rsms/admin/?page=repairs/manage_repair&id=0'%20union%20select%201,2,3,database(),5,6,7,8,9--+" -H "Cookie: PHPSESSID=your_session_id"

Replace [target] with the target system's address and your_session_id with a valid session ID if authentication is required.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the SQL injection vulnerability in Sourcecodester Computer and Mobile Repair Shop Management System v1.0, immediate steps include:

• Avoid using the vulnerable URL parameter `id` in `/rsms/admin/?page=repairs/manage_repair&id=` until a fix is applied.
• Implement input validation and parameterized queries or prepared statements in the `manage_repair.php` file to prevent SQL injection.
• Restrict database permissions to limit the impact of any potential injection.
• Monitor and review logs for suspicious activity related to the `id` parameter.
• Apply any available patches or updates from the vendor or developer addressing this vulnerability.

Useful 0 Not Useful 0