CVE-2024-58316

HIGH

Puneethreddyhc Online Shopping System Advanced - SQL Injection

Title source: rule

Description

Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database information by manipulating the user ID parameter.

Exploits (1)

exploitdb WRITEUP

by Furkan Gedik · textwebappsphp

https://www.exploit-db.com/exploits/51811

View Code ZIP pw:eip

References (3)

[Product] https://github.com/PuneethReddyHC/online-shopping-system-advanced

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/51811

[Third Party Advisory] https://www.vulncheck.com/advisories/online-shopping-system-advanced-sql-injection-via-payment-success-parameter

Scores

CVSS v3 7.5

EPSS 0.0011

EPSS Percentile 29.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (2)

PuneethReddyHC/online-shopping-system-advanced 1.0

puneethreddyhc/online_shopping_system_advanced 1.0

Published Dec 12, 2025

Tracked Since Feb 18, 2026