An unauthenticated SQL injection vulnerability in the code-projects Online Music Site enables remote attackers to execute unauthorized database queries.

The application improperly validates the 'Category' argument in the /Frontend/Search.php file. An unauthenticated attacker can exploit this to inject arbitrary SQL commands into the backend database.

With a CVSS score of 7.3, this flaw presents a significant risk to the confidentiality and integrity of the application. Exploitation could allow attackers to dump the contents of the database, including user credentials or sensitive configuration information, potentially leading to a full system compromise.

Immediate Action: Upgrade to the latest version of the Online Music Site provided by the vendor to remediate the vulnerable parameter.

Proactive Monitoring: Review database query logs for evidence of unusual query structures or unauthorized access attempts originating from the search functionality.

Compensating Controls: Implement strict input validation and parameterized queries at the application layer, and utilize a WAF to filter malicious input strings targeting the search module.

Public Exploit Available: true

Organizations running this software must act quickly to mitigate this risk. Ensure that all database interactions are performed using prepared statements to prevent further injection vulnerabilities, and apply vendor-supplied patches as soon as they are available.