📄 Description (English)
A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
🤖 AI Executive Summary
CVE-2026-10170 is a SQL injection vulnerability in code-projects Visitor Management System 1.0 affecting the /vms/php/phone_0.php endpoint. The vulnerability allows remote attackers to manipulate the 'phone' parameter to execute arbitrary SQL queries with a CVSS score of 6.3 (medium severity). While no patch is currently available and exploit code has been published, the vulnerability requires authentication or specific conditions to be exploited.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 31, 2026 10:32
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using code-projects Visitor Management System 1.0, particularly: Government agencies and ministries managing visitor access control systems, Healthcare facilities (hospitals and clinics) using VMS for patient/visitor tracking, Corporate headquarters and enterprise facilities with visitor management requirements, and Educational institutions. The SQL injection could lead to unauthorized access to visitor databases, extraction of personal information (names, phone numbers, visit purposes), modification of access logs, and potential lateral movement within organizational networks.
🏢 Affected Saudi Sectors
Government
Healthcare
Banking
Education
Corporate/Enterprise
Hospitality
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all instances of code-projects Visitor Management System 1.0 in your environment
2. Restrict network access to /vms/php/phone_0.php endpoint using firewall rules or WAF policies
3. Implement input validation and sanitization for the 'phone' parameter - whitelist only valid phone number formats
4. Enable SQL query logging and monitoring for suspicious patterns
Compensating Controls:
5. Deploy Web Application Firewall (WAF) rules to block SQL injection patterns in phone parameter
6. Implement parameterized queries/prepared statements if source code access is available
7. Apply principle of least privilege to database user accounts used by VMS
8. Enable database activity monitoring and alerting for unauthorized queries
9. Conduct regular security audits of visitor management system logs
Detection Rules:
10. Monitor for SQL keywords (UNION, SELECT, DROP, INSERT) in phone parameter values
11. Alert on unusual database query patterns or failed authentication attempts
12. Track access to sensitive visitor data tables
13. Consider upgrading to a patched version or alternative VMS solution when available
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع حالات نظام إدارة الزوار من code-projects الإصدار 1.0 في بيئتك
2. تقييد الوصول إلى نقطة النهاية /vms/php/phone_0.php باستخدام قواعد جدار الحماية أو سياسات WAF
3. تطبيق التحقق من صحة المدخلات والتطهير لمعامل 'phone' - قائمة بيضاء بصيغ أرقام الهاتف الصحيحة فقط
4. تفعيل تسجيل استعلامات SQL والمراقبة للأنماط المريبة
الضوابط التعويضية:
5. نشر قواعد جدار تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل الهاتف
6. تطبيق الاستعلامات المعاملة/البيانات المحضرة إذا كان الوصول إلى الكود المصدري متاحاً
7. تطبيق مبدأ أقل امتياز لحسابات مستخدمي قاعدة البيانات المستخدمة من قبل VMS
8. تفعيل مراقبة نشاط قاعدة البيانات والتنبيهات للاستعلامات غير المصرح بها
9. إجراء عمليات تدقيق أمان منتظمة لسجلات نظام إدارة الزوار
قواعد الكشف:
10. مراقبة كلمات مفاتيح SQL (UNION, SELECT, DROP, INSERT) في قيم معامل الهاتف
11. التنبيه على أنماط استعلامات قاعدة البيانات غير العادية أو محاولات المصادقة الفاشلة
12. تتبع الوصول إلى جداول بيانات الزوار الحساسة
13. النظر في الترقية إلى نسخة مصححة أو حل VMS بديل عند توفره
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.7.1.1 - Cryptography Policy
A.8.1.1 - Audit Logging
A.8.2.1 - Protection of Log Information
🔵 SAMA CSF
ID.GV-1 - Organizational cybersecurity policy is established and communicated
PR.AC-1 - Identities and credentials are issued and managed
PR.DS-1 - Data-at-rest is protected
DE.AE-1 - A baseline of network operations and expected data flows for users and systems is established and managed
DE.CM-1 - The network is monitored to detect potential cybersecurity events
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.6.1 - Screening
A.8.1 - User endpoint devices
A.8.2 - Privileged access rights
A.8.3 - Information access restriction
A.12.4 - Logging
A.14.2 - Secure development policy and procedures
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 6 - Develop and maintain secure systems and applications
Requirement 10 - Track and monitor all access to network resources and cardholder data
🔗 References & Sources 5