Impact
AojiaoZero Antaris 1.0 contains a flaw in the PayPal IPN Payment Handler's _rewardPurchase function within ipn.php. The item_number argument is not properly validated, allowing an attacker to inject arbitrary SQL through that parameter. Because the injection can be performed remotely, an adversary could read, modify, or delete database records related to payment processing, compromising confidentiality, integrity, and availability of transaction data.
Affected Systems
The vulnerable component is Antaris 1.0 from the vendor AojiaoZero. No additional versions are listed, indicating that the 1.0 release is the only affected product at this time.
Risk and Exploitability
The CVSS score of 5.3 classifies the vulnerability as moderate. The EPSS score is not available, and the issue is not listed in CISA's KEV catalog, implying no known exploitation activity. The attack vector is remote, and no authentication is required per the description, meaning anyone able to direct traffic to the PayPal IPN endpoint could craft a malicious item_number payload. An exploit can succeed by sending a specially constructed request to /ipn.php, and the lack of defensive mechanisms such as parameterized queries or input filtering increases the feasibility of successful injection.
OpenCVE Enrichment