Impact
Montodel House‑Rental‑Management contains a flaw in login.php that allows the Username argument to be manipulated for SQL injection. Attackers can send crafted HTTP requests to inject arbitrary SQL, potentially reading, modifying, or deleting data in the application database. The vulnerability is exploitable remotely and the exploit code has been made public, meaning an attacker with network access can attempt it without additional privileges.
Affected Systems
Any instance of Montodel House‑Rental‑Management running a code base prior to the commit 90010017b81265eb1ef3810268909f7719a33863. Because the product follows a rolling release model, specific version numbers for non‑affected releases are not available. Users of any older snapshot are potentially vulnerable until a patched release is delivered by the vendor.
Risk and Exploitability
Based on the description, it is inferred that the exploit can be launched remotely from any IP that can access the /login.php endpoint. The CVSS score of 6.9 indicates moderate severity, and because the EPSS score is unavailable, a precise exploitation likelihood cannot be quantified. The vulnerability is not in the CISA KEV catalog, but the public availability of exploit code increases the risk of exploitation. Attackers could manipulate the Username field to inject arbitrary SQL, potentially reading, modifying, or deleting data in the application database and compromising credential confidentiality and integrity.
OpenCVE Enrichment