Simple Food Order System v1.0 contains a critical SQL Injection vulnerability in view-ticket.php that enables unauthenticated remote attackers to access sensitive database content.

The /food/view-ticket.php endpoint is vulnerable to SQL Injection. An unauthenticated attacker can manipulate the ticket ID or other parameters to execute arbitrary SQL commands against the backend database.

This vulnerability allows for the unauthorized viewing of all support tickets, customer details, and potentially administrative credentials stored in the database. The CVSS score of 9.8 highlights the severe risk to data confidentiality and the potential for full system compromise.

Immediate Action: Manually patch view-ticket.php to use prepared statements or update to a secured version of the software if available.

Proactive Monitoring: Audit database activity for queries that access sensitive tables (e.g., users, admins) originating from the view-ticket.php script.

Compensating Controls: Use a WAF to inspect all GET and POST requests for SQL injection patterns and restrict database user permissions to the minimum necessary for application function.

Public Exploit Available: No

The presence of SQL injection in a public-facing script like view-ticket.php is a critical security risk. Immediate remediation through code updates or the implementation of robust virtual patching via a WAF is highly recommended.