This vulnerability involves improper input sanitization of the borrower_id parameter in the ajax.php save_loan action of SourceCodester Loan Management System v1.0. An authenticated user can exploit this to perform Blind SQL Injection attacks, potentially leading to unauthorized data access or manipulation. The CVSS vector indicates network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, and low confidentiality and integrity impacts with no availability impact.

An attacker with valid authentication can exploit this vulnerability to inject SQL commands, potentially leading to unauthorized disclosure or modification of data within the application database. The impact is limited to confidentiality and integrity with no direct availability impact. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is available, restrict access to authenticated users and monitor for suspicious activity related to the save_loan action. Avoid exposing this functionality to untrusted users and consider implementing additional input validation or web application firewall rules to mitigate injection attempts.