CVE-2026-7077
SQL Injection in itsourcecode Courier Management System /edit_parcel.php
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itsourcecode | courier_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection found in the Courier Management System version 1.0, specifically in the /edit_parcel.php file through the 'id' GET parameter.
The application does not properly sanitize or validate the 'id' input before using it in SQL queries, which allows an attacker who is authenticated to inject malicious SQL code.
Exploitation techniques include boolean-based blind SQL injection and UNION-based queries, enabling attackers to manipulate the database queries executed by the system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to the database, leakage of sensitive data, data tampering, and potentially gaining full control over the system.
Attackers may also cause service interruptions, threatening both system security and business continuity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability in the /edit_parcel.php file can be detected by testing the 'id' GET parameter for injection flaws.
One suggested method is to use the sqlmap tool to automate detection. An example command is:
- python sqlmap.py --random-agent --batch -u "http://154.219.114.125:8810/edit_parcel.php?id=1" --dbms=mysql --current-db
Additionally, manual testing can be done using boolean-based blind SQL injection payloads such as: id=(SELECT (CASE WHEN (3775=3775) THEN 1 ELSE (SELECT 4176 UNION SELECT 5479) END)) or UNION-based queries targeting multiple columns.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this SQL injection vulnerability, immediate steps include:
- Use prepared statements with parameter binding to separate SQL code from user input.
- Implement strict input validation and filtering, ensuring inputs conform to expected formats such as numeric patterns for IDs.
- Minimize database user permissions by avoiding use of high-privilege accounts like root or admin for routine operations.
- Conduct regular security audits of code and systems to detect and address vulnerabilities promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Courier Management System allows attackers to perform unauthorized database access, leak sensitive data, tamper with data, and potentially cause service interruptions.
Such unauthorized access and data leakage can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data.
Failure to protect data adequately may result in violations of data privacy and security requirements, exposing organizations to legal penalties and reputational damage.