CVE-2025-6503

| EUVD-2025-18863 HIGH
2025-06-23 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18863
PoC Detected
Jun 27, 2025 - 16:55 vuln.today
Public exploit code
CVE Published
Jun 23, 2025 - 04:15 nvd
HIGH 7.3

Tags

PHP SQLi Inventory Management System

Description

A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /php_action/fetchSelectedCategories.php. The manipulation of the argument categoriesId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6503 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/fetchSelectedCategories.php file where the 'categoriesId' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit has been publicly disclosed and proof-of-concept code is available, significantly elevating exploitation risk in production environments.

Technical Context

This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection'), which represents a failure to properly validate and sanitize user-supplied input before incorporating it into SQL queries. The affected component is a PHP file (/php_action/fetchSelectedCategories.php) that likely processes category filtering requests in an inventory management application. The 'categoriesId' parameter is passed directly or with insufficient escaping into SQL query construction, allowing an attacker to inject malicious SQL syntax. This is a classic first-order SQL injection vulnerability in legacy PHP applications that predate parameterized query adoption.

Affected Products

code-projects Inventory Management System version 1.0. CPE string (inferred): cpe:2.3:a:code-projects:inventory_management_system:1.0:*:*:*:*:*:*:*. The vulnerability affects all installations of this specific version with network accessibility to the /php_action/fetchSelectedCategories.php endpoint. No patched versions have been referenced in available public disclosures as of this analysis.

Remediation

Immediate remediation steps: (1) Implement prepared statements/parameterized queries using mysqli_prepare() or PDO prepared statements in the fetchSelectedCategories.php file; (2) Apply strict input validation using whitelist approach for categoriesId parameter (numeric validation only if categories are referenced by ID); (3) Implement stored procedures with bound parameters if database layer supports; (4) Apply Web Application Firewall (WAF) rules to block SQL injection patterns in the categoriesId parameter as temporary mitigation; (5) Upgrade to a patched version when released by code-projects vendor. Contact code-projects development team for security updates; if no response within 90 days, consider migrating to actively maintained inventory management systems. Implement principle of least privilege for database user credentials used by the application.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6503 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy