CVE-2026-37590
SQL Injection in Storage Unit Rental Management System v
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | storage_unit_rental_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Storage Unit Rental Management System v1.0 by Sourcecodester has a SQL injection vulnerability in the file /storage/admin/rents/manage_rent.php.
This vulnerability occurs because the system does not properly sanitize the 'id' parameter in the URL endpoint /storage/admin/?page=rents/manage_rent&id=, allowing an attacker to inject arbitrary SQL commands.
An attacker can exploit this by sending specially crafted GET requests that manipulate the SQL query, for example using the 'updatexml' function to trigger error-based SQL injection and reveal sensitive database information such as the current database name.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Storage Unit Rental Management System v1.0 allows attackers to extract sensitive database information and potentially manipulate data without authorization.
Such unauthorized access and data leakage can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, this vulnerability poses a risk to compliance by potentially exposing sensitive data and failing to maintain the confidentiality and integrity required by these standards.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in the Storage Unit Rental Management System v1.0, immediate steps include:
- Restrict access to the vulnerable admin interface, especially the endpoint `/storage/admin/rents/manage_rent.php`.
- Avoid using the vulnerable `id` parameter in the URL until a patch or fix is applied.
- Implement input validation and parameterized queries or prepared statements to prevent SQL injection.
- Change default or weak admin credentials such as `admin/admin123` to strong, unique passwords.
- Monitor logs for suspicious SQL errors or unusual database queries that may indicate exploitation attempts.
How can this vulnerability impact me? :
This SQL injection vulnerability can allow attackers to extract sensitive information from the database, such as database names and potentially other confidential data.
Attackers may also manipulate or delete data, leading to unauthorized data modification or loss.
Such exploitation can compromise the integrity and confidentiality of the system's data, potentially affecting business operations and user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by sending specially crafted requests to the vulnerable endpoint and observing the responses for SQL error messages or unexpected data.
Specifically, the vulnerability exists in the URL parameter `id` at the endpoint `/storage/admin/?page=rents/manage_rent&id=`.
An example detection command using curl would be:
- curl "http://<target>/storage/admin/?page=rents/manage_rent&id=0' and updatexml(1, concat(0x7e, (SELECT database()), 0x7e), 1)-- "
This payload uses the MySQL `updatexml` function to trigger an error-based SQL injection that reveals the current database name in the error message, confirming the vulnerability.