Online Complaint Site
CVE-2025-11514
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects Online Complaint Site 1.0. This vulnerability affects unknown code of the file /cms/users/index.php. Such manipulation of the argument Username leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in code-projects Online Complaint Site 1.0 allows authenticated remote attackers to manipulate the Username parameter in /cms/users/index.php and execute arbitrary SQL queries with limited impact to confidentiality, integrity, and availability. The CVSS 2.1 score and 0.03% EPSS percentile indicate low real-world risk despite public exploit availability, likely due to the authentication requirement (PR:L) and constrained impact scope.
Technical ContextAI
The vulnerability is a SQL injection flaw (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) affecting a PHP application endpoint. The issue stems from unsanitized user input in the Username parameter passed to /cms/users/index.php without proper parameterized query usage or input validation. The affected product is a complaint management system (cpe:2.3:a:fabian:online_complaint_site:1.0:*:*:*:*:*:*:*) developed by fabian, suggesting a small-scale or educational web application rather than enterprise software.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires either upgrading to a patched version from the developer (if available) or implementing input validation and parameterized queries in the Username parameter handler. Specific compensating controls: (1) Apply Web Application Firewall (WAF) rules to detect and block SQL injection payloads in the Username field (trade-off: false positives may block legitimate usernames with special characters); (2) Restrict /cms/users/index.php access by IP allowlist to authorized administrators only (trade-off: reduces operational flexibility for remote administration); (3) Enforce prepared statements and stored procedures in the PHP code if source is available. Contact code-projects.org for patch availability status. Monitor vuldb.com entry #327639 for updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today