Description
A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated SQL injection found in the cardhand_submit.php script of AMTT Hotel Broadband Operation System 1.0. By manipulating the ID argument, an attacker could alter the SQL query that retrieves or updates card transactions, potentially exposing, modifying, or deleting sensitive information. The attack can be performed remotely and has already been disclosed publicly, indicating that an attacker can send crafted requests without needing any special credentials.

Affected Systems

AMTT Hotel Broadband Operation System version 1.0 is affected. The weakness lies in an unknown function within the /manager/card/cardhand_submit.php file, implying that only systems running this exact product and version are vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending a crafted ID value to the vulnerable endpoint without authentication. The public disclosure indicates that the attack can be performed without special credentials.

Generated by OpenCVE AI on May 3, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a newer release that addresses the SQL injection issue. If no patch is available, proceed to the next steps.
  • Validate and sanitize the ID parameter on cardhand_submit.php, allowing only numeric values or using prepared statements to prevent injection.
  • Restrict access to /manager/card/cardhand_submit.php using firewall or web‑application firewall rules, limiting exposure to trusted systems.

Generated by OpenCVE AI on May 3, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Amttgroup
Amttgroup hotel Broadband Operation System
Vendors & Products Amttgroup
Amttgroup hotel Broadband Operation System

Sun, 03 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title AMTT Hotel Broadband Operation System cardhand_submit.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Amttgroup Hotel Broadband Operation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T13:15:10.392Z

Reserved: 2026-05-02T19:50:03.355Z

Link: CVE-2026-7697

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T14:16:26.930

Modified: 2026-05-03T14:16:26.930

Link: CVE-2026-7697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T21:00:09Z

Weaknesses