Impact
An SQL injection flaw exists in the scost parameter of the search_products.php script in the Grocery Store Management System. The vulnerable code constructs a database query that directly includes user-supplied input, allowing an attacker to inject arbitrary SQL commands. The result is the ability to read any data reachable by the application’s database account, exposing product inventories, customer records, and sales information. This flaw matches CWE-89 and does not affect application integrity or availability beyond data disclosure.
Affected Systems
The open‑source Grocery Store Management System built with PHP and MySQL, version 1.0, is the affected product. The vulnerability has been identified in the publicly available GitHub repository and specifically in the /grocery/search_products.php endpoint used for product searching.
Risk and Exploitability
The issue carries a CVSS score of 7.7, indicating high severity, and has an EPSS score of < 1%, suggesting a low likelihood of widespread exploitation at this time. It is not listed in the CISA KEV catalog. The attack vector is over the web, with an attacker able to supply a crafted scost parameter when accessing the search functionality. If successful, the attacker can retrieve confidential database contents. While the EPSS score is low, the high CVSS and the nature of the data exposed warrant immediate attention.
OpenCVE Enrichment