Impact
A vulnerability in the SourceCodester Multi-Vendor Online Grocery Management System allows attackers to inject arbitrary code by manipulating the content[] argument in the update_settings_info function within SystemSettings.php. This code injection flaw can lead to the execution of malicious code on the server, jeopardizing confidentiality, integrity, and availability of the application and its underlying infrastructure.
Affected Systems
The defect is present in SourceCodester Multi‑Vendor Online Grocery Management System version 1.0. Administrators and authenticated users who have access to the update_settings_info endpoint are at risk.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity, but because the flaw permits remote code injection and has been publicly disclosed, the practical risk is considerably higher. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, yet an attacker with network access can exploit the flaw without any special conditions beyond supplying a crafted content[] payload. The lack of an official patch or mitigation guidance in the public record further amplifies the urgency of addressing this issue.
OpenCVE Enrichment