Description
Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form parameters to authenticate without valid credentials and gain access to the application.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gate Pass Management System 2.1 contains an unauthenticated SQL injection flaw in the login-exec.php script. Attackers can embed SQL syntax in the login or password form fields, causing the application to execute the injected code and authenticate the user without valid credentials. This leads to unrestricted access to the entire application, enabling attackers to read, modify, or delete sensitive records. The weakness is identified as CWE-89, indicating that user input is concatenated directly into a query without validation or escaping.

Affected Systems

The vulnerability affects Livebms Gate Pass Management System version 2.1. No other versions or components are listed as impacted.

Risk and Exploitability

With a CVSS score of 8.8, the flaw is considered high severity, and the lack of an available EPSS score suggests limited public exploitation data, though the vulnerability remains theoretically trivial to exploit over the web. Attackers only need the ability to send a POST request to the vulnerable endpoint; no privileged credentials or complex preconditions are required. Because the exploit allows session authentication to be bypassed, the entire application’s confidentiality and integrity are compromised.

Generated by OpenCVE AI on May 30, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or support channels for a newer release that addresses the SQL injection flaw and install it as a priority.
  • If an official patch is not yet available, modify login-exec.php to use prepared statements or parameterized queries for all user-supplied data, ensuring the database driver does not execute injected SQL.
  • Consider implementing a Web Application Firewall or input‑validation layer to detect and block typical SQL‑injection payloads before they reach the backend.
  • Limit exposure of the login endpoint by restricting its access to known IP ranges or by applying network‑level firewall rules, reducing the attack surface.

Generated by OpenCVE AI on May 30, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Livebms
Livebms gate Pass Management System
Vendors & Products Livebms
Livebms gate Pass Management System

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form parameters to authenticate without valid credentials and gain access to the application.
Title Gate Pass Management System 2.1 SQL Injection via login-exec.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Livebms Gate Pass Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T02:11:22.783Z

Reserved: 2026-05-30T14:24:54.147Z

Link: CVE-2018-25424

cve-icon Vulnrichment

Updated: 2026-06-02T02:11:17.158Z

cve-icon NVD

Status : Deferred

Published: 2026-05-30T16:17:03.713

Modified: 2026-06-01T16:55:20.100

Link: CVE-2018-25424

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:29Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')