Login Sign Up

CVE-2017-17614

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2017-17614 is a critical SQL injection vulnerability in Food Order Script 1.0 that allows attackers to execute arbitrary SQL commands via the /list city parameter. This affects all installations of Food Order Script 1.0, potentially compromising the entire database and web application. Attackers can steal sensitive data, modify database contents, or gain administrative access.

💻 Affected Systems

Products:
  • Food Order Script
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable. No specific configuration required for exploitation.

📦 What is this software?

Hotel Restaurant Reviews And Feedback Script by Hotel Restaurant Reviews And Feedback Script Project

View all CVEs affecting Hotel Restaurant Reviews And Feedback Script →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, remote code execution, and full system takeover.

🟠

Likely Case

Database information disclosure including user credentials, payment information, and sensitive business data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts available. Exploitation requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available. Consider migrating to a maintained alternative or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the city parameter.

N/A - Requires code modification

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection protection rules to block malicious requests.

N/A - Configuration dependent on WAF solution

🧯 If You Can't Patch

  • Isolate the vulnerable system from the internet and restrict access to trusted networks only.
  • Implement network segmentation and monitor all database access attempts.

🔍 How to Verify

Check if Vulnerable:

Test the /list endpoint with SQL injection payloads in the city parameter (e.g., city=1' OR '1'='1).

Check Version:

Check script files for version information or review installation documentation.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error messages or sanitized responses.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts following SQL injection patterns
  • Unexpected database queries

Network Indicators:

  • HTTP requests with SQL keywords in city parameter
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (city="*' OR*" OR city="*;--*" OR city="*UNION*" OR city="*SELECT*" OR city="*INSERT*" OR city="*UPDATE*" OR city="*DELETE*")

📊 Metadata

CVE ID: CVE-2017-17614
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 13, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17614, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)