Refugee Food Management System
CVE-2025-15209
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown part of the file /home/editfood.php. This manipulation of the argument a/b/c/d causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
SQL injection in Refugee Food Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulated a/b/c/d arguments in /home/editfood.php, affecting confidentiality and integrity of stored data. The vulnerability has a public exploit available but carries low real-world risk due to authentication requirement and minimal scope (CVSS 2.1, EPSS 0.05%). Active exploitation is not confirmed in CISA KEV despite public POC availability.
Technical ContextAI
The vulnerability exists in the PHP application's handling of user-supplied input through the a/b/c/d URL parameters passed to /home/editfood.php without proper SQL parameterization or input sanitization. This is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), a weakness in output encoding that allows SQL commands to be injected into database queries. The affected product is identified by CPE cpe:2.3:a:fabian:refugee_food_management_system:1.0. The narrow impact scope (VC:L/VI:L/VA:L) indicates the vulnerability is constrained to limited confidentiality and integrity impact with no availability effect, suggesting the injection occurs in a specific query context rather than allowing full database compromise.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate mitigation requires upgrading from version 1.0 to a patched release if available from Code-Projects; verify patch status at https://code-projects.org/. Compensating controls pending patching include: (1) restrict network access to /home/editfood.php to trusted internal networks via web application firewall or reverse proxy, (2) implement web application firewall (WAF) rules to block SQL injection patterns in the a/b/c/d parameters (blocks character sequences like UNION, SELECT, OR 1=1), (3) enforce database user accounts with minimal privileges (read-only where possible) to limit SQL injection impact scope. Each control has trade-offs: network restriction may impact legitimate remote access; WAF rules may require tuning to avoid false positives on legitimate data patterns. Urgent action is not required due to low EPSS (0.05%), but patching should be scheduled as part of regular application maintenance cycles.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today