Beware of SQL Injection Vulnerabilities in Online Food Ordering System v1.0

CVECVE-2023-45329
CVSScvssV3_1: 9.8
SourceCVE-2023-45329

Online Food Ordering System v1.0 has been found to be vulnerable to SQL Injection attacks. SQL Injection is a code injection technique used to attack data-driven applications like databases. It involves inserting malicious SQL statements into an entry field for execution by the backend database.

In this case, the ‘role’ parameter in the routers/add-users.php page is not sanitizing user input before using it in a SQL query. A malicious actor could craft a SQL statement and pass it as the ‘role’ value to manipulate the database. This may allow them to view sensitive data, make changes to data or even take control of the underlying database.

As an online food ordering system stores important user data like payment details, addresses etc, a SQL injection flaw could seriously compromise customer privacy and trust. To protect yourself, users should make sure they are using the latest version of the app which fixes this vulnerability. You can also consider using an alternative food ordering service until this one updates their code.

It is also advisable not to reuse passwords across multiple online accounts in case one site suffers a data breach. Application developers should learn about SQL injection attacks and ensure all user input is sanitized before database usage to prevent such security flaws.

References