CVE-2025-6471

| EUVD-2025-18841 HIGH
2025-06-22 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 21:55 euvd
EUVD-2025-18841
Analysis Generated
Mar 15, 2026 - 21:55 vuln.today
PoC Detected
Jun 27, 2025 - 16:56 vuln.today
Public exploit code
CVE Published
Jun 22, 2025 - 10:15 nvd
HIGH 7.3

Tags

SQLi Online Bidding System

Description

A vulnerability classified as critical was found in code-projects Online Bidding System 1.0. Affected by this vulnerability is an unknown functionality of the file /administrator. The manipulation of the argument aduser leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6471 is a critical SQL injection vulnerability in code-projects Online Bidding System version 1.0 affecting the /administrator endpoint, where the 'aduser' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Public exploit code is available and the vulnerability is actively exploitable with no authentication required.

Technical Context

The vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in the /administrator file of the Online Bidding System. The 'aduser' parameter is concatenated directly into SQL queries without parameterized statements or input validation. This allows attackers to inject malicious SQL syntax to bypass authentication, extract sensitive data from backend databases, or manipulate database records. The affected software is a web-based bidding platform built on unknown technology stack; the lack of input sanitization in an administrative endpoint suggests potentially legacy or poorly secured code architecture.

Affected Products

code-projects Online Bidding System version 1.0 - all installations. Specific affected component: /administrator endpoint with vulnerable 'aduser' parameter handling. CPE identifier would be: cpe:2.3:a:code-projects:online_bidding_system:1.0:*:*:*:*:*:*:* (assuming standard vendor/product naming). No patch version information provided in available references; confirm with vendor for patched release availability.

Remediation

Immediate actions: (1) Implement parameterized queries (prepared statements) for all database interactions in the /administrator endpoint; (2) Apply strict input validation and whitelisting for the 'aduser' parameter (alphanumeric only, length limits); (3) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the /administrator path; (4) Apply principle of least privilege to database user accounts; (5) Contact code-projects vendor immediately for security patch or version upgrade; (6) If patch unavailable, implement network segmentation to restrict /administrator access to trusted IP ranges only; (7) Monitor database logs for SQL injection attempts and unauthorized queries; (8) Conduct full code audit of input handling across the application. Vendor patch status: Unknown—verify with code-projects for CVE-2025-6471 patch availability and release timeline.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6471 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy