CVE-2025-6311

| EUVD-2025-18725 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18725
PoC Detected
Jul 11, 2025 - 15:50 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 06:15 nvd
HIGH 7.3

Tags

PHP SQLi Sales And Inventory System

Description

A vulnerability, which was classified as critical, was found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /pages/account_add.php. The manipulation of the argument id/amount leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6311 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/account_add.php endpoint. Unauthenticated remote attackers can manipulate the 'id' or 'amount' parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation risk with a CVSS score of 7.3 indicating medium-to-high severity.

Technical Context

The vulnerability stems from improper input validation in the account_add.php script, classified under CWE-74 (Improper Neutralization of Special Elements in Output), which encompasses SQL injection flaws. The root cause is insufficient parameterization or sanitization of user-supplied input (id/amount parameters) before incorporation into SQL queries. The affected product is Campcodes Sales and Inventory System v1.0, a web-based inventory management application. The vulnerability allows attackers to bypass query intent through SQL metacharacter injection, enabling direct database manipulation through HTTP requests to an unauthenticated endpoint.

Affected Products

Campcodes Sales and Inventory System (['1.0'])

Remediation

- priority: CRITICAL; action: Upgrade Campcodes Sales and Inventory System to a patched version (version >1.0 if available, or evaluate alternative products if no patch released); details: Contact Campcodes vendor for security update availability. If patch unavailable, implement Web Application Firewall (WAF) rules to block SQL injection patterns in id/amount parameters. - priority: HIGH; action: Implement prepared statements/parameterized queries; details: Modify /pages/account_add.php to use prepared statements with bound parameters instead of string concatenation for all SQL queries. - priority: HIGH; action: Input validation and sanitization; details: Implement strict whitelist validation for 'id' parameter (numeric validation) and 'amount' parameter (decimal/numeric validation). Reject any input containing SQL metacharacters (', ", ;, --, /*, etc.). - priority: MEDIUM; action: Authentication enforcement; details: Require authentication before accessing /pages/account_add.php endpoint; implement role-based access control to restrict account modifications. - priority: MEDIUM; action: Deploy Web Application Firewall (WAF); details: Configure WAF with SQL injection detection rules (ModSecurity, AWS WAF, Cloudflare) to block malicious payloads targeting the vulnerable endpoint. - priority: LOW; action: Database permissions hardening; details: Apply principle of least privilege to database user accounts; restrict write/delete operations to minimum necessary permissions to limit damage from successful SQL injection.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6311 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy