CVE-2026-36948
SQL Injection in Sourcecodester Online Thesis Archiving System
Publication date: 2026-04-13
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | online_thesis_archiving_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Online Thesis Archiving System v1.0 by Sourcecodester has an SQL injection vulnerability in the file /otas/view_archive.php.
This vulnerability occurs at the URL parameter 'id' in the endpoint /otas/?page=view_archive&id=, which allows an attacker to manipulate the parameter to execute arbitrary SQL queries on the backend database.
For example, an attacker can use a crafted payload to inject a UNION SELECT statement to retrieve sensitive information such as the current database name.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Online Thesis Archiving System v1.0 allows unauthorized data disclosure from the backend database. Such unauthorized access to sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.
By enabling attackers to extract data without authorization, this vulnerability could result in exposure of personal or confidential information, thereby violating requirements for data confidentiality, integrity, and security mandated by these regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in the Online Thesis Archiving System v1.0, immediate steps include:
- Sanitize and validate all user inputs, especially the 'id' parameter in the /otas/view_archive.php file.
- Use prepared statements or parameterized queries to prevent direct injection of SQL code.
- Restrict database permissions to limit the impact of a potential injection.
- Monitor and log suspicious requests targeting the vulnerable endpoint.
- Apply any available patches or updates from the vendor or source if available.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow an attacker to execute arbitrary SQL commands on the backend database.
- Unauthorized disclosure of sensitive data stored in the database.
- Potential modification or deletion of database records.
- Compromise of the integrity and confidentiality of the system's data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by sending crafted HTTP requests to the vulnerable endpoint and observing the response for signs of SQL injection.
Specifically, you can test the URL parameter `id` in the endpoint `/otas/?page=view_archive&id=` by injecting SQL payloads.
- Send a request like `/otas/?page=view_archive&id=0' union select 1,2,3,4,database(),6,7,8,9,10,11,12,13--+` to check if the database name is returned in the response.
- Use tools such as curl or a web proxy to send the above request and analyze the HTTP response for database information disclosure.