CVE-2025-5677

| EUVD-2025-17019 HIGH
2025-06-05 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:53 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:53 euvd
EUVD-2025-17019
PoC Detected
Jun 10, 2025 - 19:31 vuln.today
Public exploit code
CVE Published
Jun 05, 2025 - 19:15 nvd
HIGH 7.3

Tags

PHP SQLi Online Recruitment Management System

Description

A vulnerability was found in Campcodes Online Recruitment Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/ajax.php?action=save_application. The manipulation of the argument position_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical SQL injection vulnerability in Campcodes Online Recruitment Management System version 1.0 affecting the /admin/ajax.php?action=save_application endpoint. An unauthenticated remote attacker can manipulate the position_id parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation likely.

Technical Context

The vulnerability stems from improper input validation in a PHP-based web application (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component, commonly leading to SQL injection). The affected endpoint /admin/ajax.php processes AJAX requests with an action parameter set to 'save_application'. The position_id parameter is passed directly into SQL queries without parameterized prepared statements or adequate input sanitization. The underlying technology is a PHP/MySQL-based recruitment management system. CPE identifier likely: cpe:2.3:a:campcodes:online_recruitment_management_system:1.0:*:*:*:*:*:*:*

Affected Products

Product: Campcodes Online Recruitment Management System; Affected Version: 1.0; Vulnerability Location: /admin/ajax.php endpoint with action=save_application parameter; Attack Vector: position_id parameter. No patch version information is available in public sources as of the CVE disclosure. The vendor (Campcodes) has not released a patched version number in accessible advisories. Deployment: Web application accessible remotely via HTTP/HTTPS.

Remediation

Immediate remediation steps: (1) Apply input validation and parameterized prepared statements to the position_id parameter in /admin/ajax.php to prevent SQL injection; (2) Implement whitelist validation for position_id (should be numeric/integer); (3) Use prepared statements with bound parameters for all database queries; (4) Add Web Application Firewall (WAF) rules to block SQL injection patterns targeting /admin/ajax.php; (5) Restrict access to /admin/ endpoints to authenticated users only; (6) Monitor database query logs for suspicious activity. Contact Campcodes directly for official patch availability—no public patch release is currently documented. Workaround: Disable or restrict network access to the vulnerable endpoint until patched. Long-term: Migrate to maintained, security-audited recruitment management software if Campcodes cannot provide timely patches.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-5677 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy