CVE-2026-10302
SQL Injection in Fees Management System 1.0
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itsourcecode | fees_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection flaw found in the Fees Management System version 1.0 by itsourcecode. It exists in the '/manage_fee.php' file, specifically in the 'id' parameter, which does not properly sanitize user input before using it in SQL queries.
An attacker with valid credentials can exploit this vulnerability by manipulating the 'id' argument to inject malicious SQL code. This can allow unauthorized access to the database, data leakage, data tampering, full system control, or service disruption.
The vulnerability has been confirmed with multiple proof-of-concept techniques including boolean-based blind, error-based, and time-based blind SQL injection.
Exploitation requires prior authentication, meaning the attacker must have some level of access before leveraging this flaw.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized database access, which may lead to sensitive data leakage.
Attackers can tamper with or alter data, potentially corrupting important information or disrupting normal operations.
It can also allow attackers to gain full control over the system, enabling further malicious activities.
Service disruption is another possible impact, which can affect availability and reliability of the Fees Management System.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability in the 'id' parameter of /manage_fee.php can be detected by testing for improper input sanitization and injection points.
- Use SQL injection testing tools or manual payloads such as boolean-based blind, error-based, or time-based blind SQL injection techniques targeting the 'id' parameter.
- Example command using sqlmap (requires authentication): sqlmap -u "http://target/manage_fee.php?id=1" --cookie="SESSION=your_session_cookie" --risk=3 --level=5 --batch
- Manually test by injecting SQL payloads in the 'id' parameter, such as appending ' OR 1=1-- to the URL and observing if the response changes or reveals database errors.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement prepared statements with parameter binding to prevent SQL injection.
- Apply strict input validation on the 'id' parameter to ensure only expected data types and values are accepted.
- Minimize database user permissions to limit the impact of a potential exploit.
- Conduct regular security audits and code reviews focusing on input handling and database queries.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Fees Management System 1.0 can lead to unauthorized database access, data leakage, and data tampering. Such impacts can compromise the confidentiality, integrity, and availability of sensitive data.
This type of vulnerability can affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Exploitation of this vulnerability could result in exposure of personal or financial information, potentially leading to violations of data protection laws and regulatory requirements.