Home

Description

Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database information by manipulating the user ID parameter.

PUBLISHED Reserved 2025-12-12 | Published 2025-12-12 | Updated 2025-12-12 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

1.0
affected

Credits

Furkan Gedik finder

References

www.exploit-db.com/exploits/51811 (ExploitDB-51811) exploit

github.com/PuneethReddyHC/online-shopping-system-advanced (Product GitHub Repository) product

www.vulncheck.com/...injection-via-payment-success-parameter (VulnCheck Advisory: Online Shopping System Advanced 1.0 SQL Injection via Payment Success Parameter) third-party-advisory

cve.org (CVE-2024-58316)

nvd.nist.gov (CVE-2024-58316)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.