Search

Find a vulnerability

Search criteria

    1 vulnerability found for Antaris by AojiaoZero

    CVE-2026-15502 (GCVE-0-2026-15502)

    Vulnerability from cvelistv5 – Published: 2026-07-12 12:45 – Updated: 2026-07-12 12:45
    VLAI
    Title
    AojiaoZero Antaris PayPal IPN Payment ipn.php _rewardPurchase sql injection
    Summary
    A vulnerability was detected in AojiaoZero Antaris 1.0. This affects the function _rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The manipulation of the argument item_number results in sql injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377809 vdb-entrytechnical-description
    https://vuldb.com/vuln/377809/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15502 third-party-advisory
    https://vuldb.com/submit/844725 third-party-advisory
    Impacted products
    Vendor Product Version
    AojiaoZero Antaris Affected: 1.0
        cpe:2.3:a:aojiaozero:antaris:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dest1ny_2 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:aojiaozero:antaris:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "PayPal IPN Payment Handler"
              ],
              "product": "Antaris",
              "vendor": "AojiaoZero",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dest1ny_2 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in AojiaoZero Antaris 1.0. This affects the function _rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The manipulation of the argument item_number results in sql injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T12:45:07.222Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377809 | AojiaoZero Antaris PayPal IPN Payment ipn.php _rewardPurchase sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377809"
            },
            {
              "name": "VDB-377809 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377809/cti"
            },
            {
              "name": "CVE-2026-15502 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15502"
            },
            {
              "name": "Submit #844725 | AojiaoZero Antaris latest (2026-06, no formal release) SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/844725"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-11T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-11T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-11T14:54:09.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "AojiaoZero Antaris PayPal IPN Payment ipn.php _rewardPurchase sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15502",
        "datePublished": "2026-07-12T12:45:07.222Z",
        "dateReserved": "2026-07-11T12:49:06.454Z",
        "dateUpdated": "2026-07-12T12:45:07.222Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }