A critical vulnerability has been discovered in SourceCodester Pet Grooming Management Software, allowing unauthenticated attackers to compromise the application's database. Successful exploitation of this flaw could lead to the theft, modification, or deletion of sensitive business and customer data, posing a significant risk to the confidentiality and integrity of the system.

The vulnerability is a SQL Injection flaw within the admin/view_customer.php component of the software. The application fails to properly sanitize user-supplied input provided to the ID parameter. An unauthenticated remote attacker can exploit this by sending a specially crafted HTTP request containing malicious SQL queries in the ID parameter, which are then executed directly by the backend database. This allows the attacker to bypass authentication, read, modify, or delete any data in the database, and in some configurations, execute commands on the underlying operating system.

This vulnerability is rated as critical severity with a CVSS score of 9.4, reflecting the high potential for significant business disruption. A successful attack could lead to a severe data breach, exposing sensitive customer information such as names, addresses, and contact details. The consequences include loss of data integrity, reputational damage, loss of customer trust, and potential financial penalties under data protection regulations. Furthermore, if the database service has excessive privileges, the attacker could pivot from the database to gain full control of the web server, expanding their foothold within the network.

Immediate Action: Organizations must immediately update the SourceCodester Pet Grooming Management Software to the latest patched version as recommended by the vendor. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing application and web server access logs for suspicious activity targeting the admin/view_customer.php file.

Proactive Monitoring: Review web server and database logs for requests to admin/view_customer.php containing SQL keywords (e.g., UNION, SELECT, ', --) or unusual syntax in the ID parameter. Monitor for anomalous outbound network traffic from the database server, which could indicate data exfiltration. Implement a Web Application Firewall (WAF) to detect and block common SQL Injection attack patterns.

Compensating Controls: If patching is not immediately feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically configured to block SQL Injection attacks.
• Restrict access to the /admin/ directory to authorized personnel and trusted IP addresses only.
• Enforce the principle of least privilege by ensuring the database account used by the application has the minimum permissions necessary for its operation.

Public Exploit Available: true

Given the critical CVSS score of 9.4 and the high potential for complete database compromise, it is strongly recommended that all organizations using the affected software apply the vendor-supplied patches immediately. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical severity and ease of exploitation demand urgent attention. All internet-facing instances of this software should be prioritized for patching without delay, and organizations should assume compromise if any related suspicious activity is found.