An unauthenticated SQL injection vulnerability in AiOPMSD Final 1.0.0 exposes the application to unauthorized database access and potential data exfiltration.

The application fails to properly sanitize input provided to the 'id' parameter within the watch.php script. This allows an unauthenticated attacker to inject malicious SQL commands to extract sensitive data such as database names, usernames, and version information.

Successful exploitation of this vulnerability could lead to a full compromise of the backend database, resulting in the exfiltration of sensitive organizational data. With a CVSS score of 8.2, this high-severity flaw poses a significant risk to data confidentiality and integrity.

Immediate Action: Apply the security updates provided by the vendor or implement parameterized queries to sanitize input in watch.php.

Proactive Monitoring: Monitor database access logs for suspicious query patterns, such as unexpected use of UNION or SLEEP commands, which are common indicators of SQL injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to block malicious GET requests targeting the 'id' parameter.

Public Exploit Available: true

This vulnerability is highly critical due to the availability of public exploit code and the lack of authentication required for execution. System administrators must prioritize patching or implementing the recommended compensating controls immediately to prevent unauthorized data access.