Impact
The vulnerability allows attackers to inject arbitrary SQL statements by manipulating the Login argument in the users.php component, potentially enabling unauthorized data disclosure, modification, or creation. It stems from improper neutralization of both special characters (CWE‑74) and failure to use parameterized queries (CWE‑89). This flaw directly compromises the confidentiality and integrity of the underlying database if exploited.
Affected Systems
The affected product is sergomanov SmartHomeAdatum, specifically an unknown function within the users.php file of the Login component. The product follows a rolling release model, providing continuous updates, but no specific affected or fixed version identifiers are documented.
Risk and Exploitability
The CVSS score of 6.9 indicates a moderate to high severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely by supplying crafted input to the Login field. Because the flaw is not currently mitigated by a vendor patch, the risk of exploitation remains significant until remedial controls are applied.
OpenCVE Enrichment