Refugee Food Management System
CVE-2025-15211
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in code-projects Refugee Food Management System 1.0. Impacted is an unknown function of the file /home/refugee.php. Executing manipulation of the argument refNo/Fname/Lname/sex/age/contact/nationality_nid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
AnalysisAI
SQL injection in Refugee Food Management System 1.0 allows authenticated remote attackers to manipulate refNo, Fname, Lname, sex, age, contact, and nationality_nid parameters in /home/refugee.php, enabling unauthorized database query execution with limited confidentiality and integrity impact. The vulnerability requires login credentials (PR:L), has publicly available exploit code, and carries a low CVSS score (2.1) despite active proof-of-concept publication, indicating minimal real-world risk due to authentication barrier and restricted impact scope.
Technical ContextAI
The vulnerability exploits improper input validation in a PHP-based refugee management application. The affected file /home/refugee.php processes multiple user-supplied parameters without sufficient parameterization or input sanitization, allowing SQL metacharacters to be injected into database queries. This is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), the parent category for SQL injection flaws. The application runs on a web server accepting network requests and performs database operations with user input directly incorporated into SQL statements.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires restricting access to /home/refugee.php to trusted administrators only via IP whitelisting or role-based access controls, reducing the number of accounts that can authenticate. Implement prepared statements and parameterized queries in the affected file to neutralize SQL injection inputs - this is the foundational fix and should be applied when vendor releases an update or through custom patching if source code access is available. As a temporary compensating control, disable or restrict the refugee management features if they are not actively in use. Monitor database access logs for unusual query patterns from the refugee.php endpoint. Upgrade to a patched version immediately upon release from the vendor. Organizations dependent on this application should contact fabian@code-projects.org (inferred) or monitor https://code-projects.org/ for security updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today