CVE-2020-25762

CRITICAL

Seat Reservation System - SQL Injection

Title source: rule

Description

An issue was discovered in SourceCodester Seat Reservation System 1.0. The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input in the post request to /admin/ajax.php?action=login and bypass authentication, extract sensitive information etc.

Exploits (1)

exploitdb WORKING POC

by Rahul Ramkumar · textwebappsphp

https://www.exploit-db.com/exploits/48889

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/159261/Seat-Reservation-System-1.0-SQL-Injection.html

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2020/Sep/42

[Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/author/15149

Scores

CVSS v3 9.1

EPSS 0.1786

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-89

Status published

Products (1)

seat_reservation_system_project/seat_reservation_system 1.0

Published Sep 30, 2020

Tracked Since Feb 18, 2026