Client Details System
CVE-2025-12243
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Client Details System 1.0. Affected by this issue is some unknown functionality of the file clientdetails/welcome.php of the component GET Parameter Handler. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the ID parameter in clientdetails/welcome.php, enabling database queries with limited scope impact. CVSS 2.1 reflects low severity due to authentication requirement (PR:L) and limited confidentiality/integrity exposure (VC:L/VI:L), though publicly available exploit code exists and EPSS scoring (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite public POC availability.
Technical ContextAI
The vulnerability exists in the GET Parameter Handler component of clientdetails/welcome.php, where user-supplied ID parameter input is not properly sanitized before being incorporated into SQL queries (CWE-74: Improper Neutralization of Special Elements in Output). The affected product is a PHP-based client management system version 1.0. The vulnerability allows an authenticated user to inject arbitrary SQL syntax through the ID parameter, though the CVSS vector indicates the technical impact is limited to confidentiality and integrity exposure (VC:L, VI:L) with no availability impact (VA:L). This suggests parameterized query failures or output encoding issues rather than full database compromise.
RemediationAI
No vendor-released patch identified at time of analysis. Primary remediation requires input validation on the ID parameter in clientdetails/welcome.php: implement parameterized prepared statements for all SQL queries, sanitize the ID parameter to accept only expected formats (numeric or alphanumeric as applicable), and apply output encoding where results are displayed. Immediate compensating control: restrict access to clientdetails/welcome.php to trusted internal users only via firewall or Web Application Firewall rules, or disable the component if not actively used. Verify that error messages do not leak database structure through verbose SQL error output - implement generic error pages and log detailed errors server-side only. If upgrading to a patched version becomes available from code-projects.org, apply immediately and test thoroughly for functional regression given the low production maturity of version 1.0.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today