Client Details System
CVE-2025-11605
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects Client Details System 1.0. Impacted is an unknown function of the file /admin/update-profile.php. Such manipulation of the argument uid leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the uid parameter in /admin/update-profile.php, enabling arbitrary database queries with limited confidentiality and integrity impact. Publicly available exploit code exists; however, the EPSS score of 0.04% and CVSS 2.1 severity indicate low real-world exploitation probability despite low barriers to attack (network-accessible, low complexity, no user interaction required).
Technical ContextAI
The vulnerability involves improper input validation and parameterization in the uid parameter of the /admin/update-profile.php endpoint, classified as Improper Neutralization of Special Elements used in an SQL Command (CWE-74). The affected product is a PHP-based client management system (CPE: cpe:2.3:a:fabian:client_details_system:1.0:*:*:*:*:*:*:*) that fails to sanitize or use prepared statements for user-supplied input before constructing SQL queries. This is a classic SQL injection flaw in server-side database interaction logic.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation requires code modification: (1) Replace all dynamic SQL query construction in /admin/update-profile.php with parameterized prepared statements using PHP PDO or mysqli prepared statement APIs, ensuring the uid parameter is bound as a parameter rather than concatenated into the query string; (2) Implement strict input validation to reject uid values that do not match expected format (e.g., numeric-only if uid is an integer); (3) Apply principle of least privilege to the database user account used by the application, restricting it to SELECT and UPDATE operations on specific tables only, not DROP or administrative commands. Additionally, restrict access to /admin/* paths to authorized administrators only via web server access controls (IP whitelisting, authentication gateway). For organizations unable to modify source code immediately, disable the profile update feature or restrict administrative interface access to trusted networks.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today