Sohel Yousef

**Name of the Vulnerable Software and Affected Versions** Xhibiter NFT Marketplace version 1.10.2 **Description** The Xhibiter NFT Marketplace software has a SQL injection issue in the collections endpoint. An attacker can manipulate database queries by using the `id` parameter. Boolean-based, time-based, and UNION-based SQL injection techniques can be used to extract or manipulate database information by sending crafted payloads to the collections page. The API endpoint affected is '/collections'. The vulnerable parameter is `id`. **Recommendations** Apply a fix to sanitize the `id` parameter in the collections endpoint to prevent SQL injection. As a temporary workaround, restrict access to the collections endpoint to minimize the risk of exploitation.