CVE-2026-36946
SQL Injection in Sourcecodester Repair Shop Management System
Publication date: 2026-04-13
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | computer_and_mobile_repair_shop_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is an SQL injection found in Sourcecodester Computer and Mobile Repair Shop Management System v1.0, specifically in the file /rsms/admin/inquiries/view_details.php.
It occurs at the 'id' parameter in the URL, where an attacker can manipulate the SQL query by injecting malicious input.
For example, an attacker can use a UNION-based SQL injection payload to retrieve sensitive information such as the current database name.
This happens because the application does not properly sanitize or validate the input before using it in a database query.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in the file /rsms/admin/inquiries/view_details.php, immediate steps include validating and sanitizing the 'id' parameter to prevent malicious input.
Use prepared statements or parameterized queries in the code to avoid direct inclusion of user input in SQL queries.
Restrict database permissions to limit the impact of a potential injection.
Monitor and review logs for suspicious activities related to the vulnerable endpoint.
If possible, apply patches or updates from the vendor or developer addressing this vulnerability.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow an attacker to access unauthorized data from the database by manipulating the SQL queries.
Such unauthorized data leakage can lead to exposure of sensitive information stored in the system.
Additionally, attackers might use this vulnerability to perform further attacks, potentially compromising the integrity and confidentiality of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows unauthorized data leakage by manipulating SQL queries. Such unauthorized access to sensitive data can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.
Specifically, exploitation of this vulnerability could result in exposure of personal data stored in the database, violating data protection requirements and potentially leading to legal and regulatory consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by testing the `id` parameter in the URL `/rsms/admin/inquiries/view_details.php?id=` for SQL injection payloads.
A common detection method is to send a specially crafted HTTP request that attempts to manipulate the SQL query, such as using a UNION-based injection payload.
- Example payload to test: `/rsms/admin/inquiries/view_details.php?id=-1' union select 1,database(),3,4,5,6,7--+`
You can use command-line tools like curl to send this request and observe the response for signs of SQL injection, such as the database name being returned in the output.
- Example curl command: `curl -i 'http://<target>/rsms/admin/inquiries/view_details.php?id=-1'%20union%20select%201,database(),3,4,5,6,7--+`