The claudiopizzillo PIAF-HMS application suffers from multiple unauthenticated SQL injection vulnerabilities (CWE-89) because it directly concatenates user-supplied HTTP parameters into SQL queries executed via the deprecated mysql_query() function without any sanitization, escaping, or parameterization. The application has no authentication, enabling remote attackers to inject arbitrary SQL commands to read, modify, or delete data in the backend database. Vulnerable endpoints include rooms.php (DELETE query with unquoted numeric ID), checkuser.php (WHERE clause with quoted Ext parameter), ec.php (date and extension parameters in WHERE clause), checkin.php and wakeup.php (POST data in INSERT statements), bills.php (POST data in WHERE clause), and rates.php and checkout.php. The use of the legacy mysql_* extension prevents stacked statements, but does not mitigate the injection risk. No patch or official remediation is currently documented.

A remote, unauthenticated attacker can exploit these SQL injection vulnerabilities to execute arbitrary SQL commands on the backend database. This can lead to full compromise of the database integrity and confidentiality, including unauthorized reading, modification, or deletion of records. The lack of authentication and direct use of unsanitized input significantly increases the risk and ease of exploitation. The CVSS score of 9.8 reflects critical impact with network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality, integrity, and availability impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the affected application to trusted networks only and implement external protections such as web application firewalls with SQL injection detection rules. Code remediation should include implementing proper input validation, escaping, or parameterized queries using modern database extensions. Note that the application currently lacks any authentication mechanism, which should also be addressed to reduce exposure.