CVE-2026-10808
SQL Injection in Fees Management System
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itsourcecode | fees_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Fees Management System 1.0 allows attackers with valid credentials to potentially access, leak, or tamper with sensitive data stored in the database. Such unauthorized access and data manipulation can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.
Because the vulnerability can result in unauthorized disclosure and alteration of data, it undermines the confidentiality, integrity, and availability principles required by these standards, thereby negatively impacting compliance.
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue found in the Fees Management System version 1.0, specifically in the /manage_student.php file. It occurs because the 'id' parameter does not properly sanitize user input, allowing attackers to manipulate SQL queries.
An attacker with valid credentials can exploit this vulnerability remotely by injecting malicious SQL code, which can lead to unauthorized access to the database.
The vulnerability is classified as boolean-based blind and error-based SQL injection, and proof-of-concept payloads exist. Exploitation requires prior authentication.
How can this vulnerability impact me? :
Exploiting this vulnerability can have serious impacts including unauthorized database access, data leakage, data tampering, full system control by the attacker, and potential service disruption.
Because the attacker can inject SQL commands, they might extract sensitive information, modify or delete data, or disrupt the normal operation of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a SQL injection in the 'id' parameter of the /manage_student.php file in the Fees Management System 1.0. Detection can be done by testing this parameter for SQL injection vulnerabilities.
Suggested commands include using SQL injection testing tools or manual payloads targeting the 'id' parameter after authentication, since exploitation requires valid credentials.
- Use sqlmap or similar tools with authentication to test the 'id' parameter, for example: sqlmap -u "http://target/manage_student.php?id=1" --cookie="SESSION=your_session_cookie" --batch
- Manually test by injecting typical SQL payloads such as ' OR '1'='1 or ' OR 1=1-- into the 'id' parameter after logging in.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing prepared statements and parameterized queries to prevent SQL injection.
Additional measures are to validate and sanitize all user inputs, especially the 'id' parameter in /manage_student.php.
Minimize database permissions to limit the impact of a potential exploit.
Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.