Courier Management System
CVE-2025-11553
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in code-projects Courier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-courier.php. Executing manipulation of the argument Shippername can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
SQL injection vulnerability in Courier Management System 1.0 allows authenticated remote attackers to manipulate the Shippername parameter in /add-courier.php, enabling database queries to be executed with limited confidentiality and integrity impact. The publicly available exploit code and low CVSS score (2.1) reflect the requirement for valid authentication credentials, limiting real-world risk despite confirmed exploit availability.
Technical ContextAI
The vulnerability exists in a PHP-based courier management application where user-supplied input from the Shippername parameter is not properly sanitized before being passed to SQL queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') vulnerability specific to SQL context. The application fails to use parameterized queries or input validation, allowing attackers with valid credentials to craft malicious SQL syntax that modifies query logic. The affected product is Courier Management System version 1.0, as identified in the CPE string cpe:2.3:a:carmelogarcia:courier_management_system:1.0:*:*:*:*:*:*:*.
RemediationAI
Upgrade to a patched version of Courier Management System if available from the vendor at code-projects.org; however, no specific patched version is publicly documented in the provided references. Immediate compensating controls include: (1) Implement parameterized queries (prepared statements) in the /add-courier.php file to separate SQL logic from user input - this eliminates SQL injection risk and requires code changes by the development team. (2) Restrict access to the /add-courier.php endpoint via network access control lists or IP whitelisting to trusted administrative networks, reducing the attack surface to insider threats only. (3) Enable comprehensive SQL query logging and audit all queries executed with the Shippername parameter to detect anomalous database activity. (4) Apply input validation and length limits to the Shippername field at the application layer (whitelist alphanumeric characters, reject special SQL metacharacters). (5) Run the application with a database user account that has minimal permissions (INSERT only on the courier table, no SELECT on sensitive tables) to limit the blast radius if injection succeeds. Contact the vendor at code-projects.org or the original reporter (cna@vuldb.com) for patch availability and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today