CVE-2020-24862

Name of the Vulnerable Software and Affected Versions Pharmacy Medical Store and Sale Point version 1.0

Description The issue concerns a Time-Based blind SQL injection vulnerability related to the catID parameter. This vulnerability can be exploited via the "/medical/inventories.php" API endpoint, allowing attackers to retrieve all databases. The vulnerability is due to the lack of protection measures for the SQL query structure, which can enable a remote attacker to execute arbitrary SQL commands and access confidential data.

Recommendations For Pharmacy Medical Store and Sale Point version 1.0, consider restricting access to the /medical/inventories.php API endpoint and the catID parameter until a patch is available. As a temporary workaround, avoid using the catID parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.