Impact
The vulnerability exists in the login functionality of RafyMrX TOKO-ONLINE-ROTI, where manipulating the Username parameter results in an SQL injection. The flaw allows an attacker to craft malicious queries that can read, modify, or delete database contents. This can lead to data compromise or unauthorized user control. The CVSS score of 6.9 signals a medium severity, reflecting the potential for significant impact if exploited.
Affected Systems
The affected product is RafyMrX’s TOKO-ONLINE-ROTI. The description refers to a commit identifier (ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) but no explicit software version numbers are provided, as the vendor follows a rolling release model. Therefore, any instance of the application on this commit or later is potentially vulnerable.
Risk and Exploitability
The EPSS score of less than 1% indicates that the likelihood of public exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an exploit is publicly available, and remote attackers can trigger it by sending crafted requests to the login endpoint. Because the attack vector is over the network and does not require local privilege, it can be performed from anywhere that can reach the web server.
OpenCVE Enrichment