Detection Guidance

This vulnerability can be detected by testing the `id` parameter in the URL `/otas/admin/curriculum/manage_curriculum.php` for SQL injection. Specifically, sending crafted payloads via GET requests to this parameter can reveal if the system is vulnerable.

• Use a curl command to send a test payload such as: curl "http://<target>/otas/admin/curriculum/manage_curriculum.php?id=0' union select 1,2,database(),4,5,6,7--+"
• Observe the response for database information or SQL errors indicating injection.
• Alternatively, use web vulnerability scanners that support SQL injection detection targeting the `id` parameter in the specified URL.

Useful 0 Not Useful 0

Compliance Impact

The SQL injection vulnerability in the Online Thesis Archiving System v1.0 allows unauthorized data disclosure and potential database manipulation. Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to prevent data breaches.

Because the vulnerability enables attackers to extract database information without authorization, it compromises the confidentiality and integrity of stored data, thereby negatively impacting compliance with standards that require safeguarding personal data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-36952 is an SQL injection vulnerability found in the Online Thesis Archiving System v1.0 by Sourcecodester. It exists in the file /otas/admin/curriculum/manage_curriculum.php, specifically in the handling of the 'id' parameter via a GET request.

Because the 'id' parameter is not properly sanitized, an attacker can inject malicious SQL code. For example, by sending a crafted payload like '?id=0' union select 1,2,database(),4,5,6,7--+', the attacker can execute arbitrary SQL commands, such as extracting the current database name.

This vulnerability allows unauthorized access to sensitive data stored in the backend database and may enable further manipulation of the database.

Useful 0 Not Useful 0

Impact Analysis

This SQL injection vulnerability can lead to unauthorized disclosure of sensitive data from the backend database of the Online Thesis Archiving System.

An attacker exploiting this flaw could extract confidential information, such as database contents, and potentially manipulate or corrupt the data.

Such unauthorized access and data manipulation can compromise the integrity, confidentiality, and availability of the system and its stored information.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating the `id` parameter in `/otas/admin/curriculum/manage_curriculum.php` to prevent SQL injection.

• Implement prepared statements or parameterized queries in the PHP code to handle the `id` parameter safely.
• Apply input validation to ensure only expected numeric values are accepted for the `id` parameter.
• Restrict direct access to the vulnerable script if possible until a patch or fix is applied.
• Monitor logs for suspicious requests containing SQL injection payloads.

Useful 0 Not Useful 0