Description

Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database information by manipulating the user ID parameter.

Related CPE's

a

puneethreddyhc

online_shopping_system_advanced

1.0

Vulnerable

References

https://github.com/PuneethReddyHC/online-shopping-system-advanced

Product

https://www.exploit-db.com/exploits/51811

ExploitThird Party AdvisoryVDB Entry

https://www.vulncheck.com/advisories/online-shopping-system-advanced-sql-injection-via-payment-success-parameter

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-89

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2025-12-12T21:15:51.430

6 days ago

Last modified

2025-12-19T15:27:57.087

3 hours ago