CVE-2026-10877
BaseFortify
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | ship_ferry_ticket_reservation_system | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL Injection flaw in the authentication mechanism of the SourceCodester Ship Ferry Ticket Reservation System, specifically in the /admin/login.php file. It occurs because the application does not properly sanitize user input in the username field, allowing an attacker to inject malicious SQL code.
By injecting crafted SQL payloads, an attacker can manipulate the backend SQL queries to bypass authentication controls and gain unauthorized access to the administrative panel without valid credentials.
For example, using a payload like ' OR 1=1-- - in the username field can trick the system into granting access regardless of the password entered.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the authentication mechanism of the SourceCodester Ship Ferry Ticket Reservation System allows unauthorized administrative access and potential exposure of sensitive information. Such unauthorized access and data exposure can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and strict access controls.
Failure to properly secure authentication and prevent unauthorized access may result in violations of data protection requirements, increasing the risk of data breaches and regulatory penalties.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized administrative access to the application.
- Bypass of authentication controls allowing attackers to enter the admin panel without valid credentials.
- Privilege escalation within the application.
- Exposure of sensitive information stored or accessible through the administrative interface.
- Complete compromise of application functionality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL Injection vulnerability in the /admin/login.php endpoint can be detected by attempting to bypass authentication using crafted SQL payloads in the username field.
A common test command is to input the payload `' OR 1=1-- -` into the username field and any value into the password field on the login page. If authentication is bypassed, the system is vulnerable.
Manual authentication testing by supplying such crafted SQL payloads and observing if unauthorized access is granted is an effective detection method.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing parameterized queries (prepared statements) for all database interactions related to authentication to prevent SQL injection.
- Use prepared statements instead of dynamic SQL query construction.
- Implement server-side input validation and sanitize all user inputs.
- Apply least privilege principles to database accounts used by the application.
These steps help prevent attackers from injecting malicious SQL and gaining unauthorized administrative access.