CVE-2025-6611

| EUVD-2025-19110 HIGH
2025-06-25 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19110
PoC Detected
Jun 27, 2025 - 18:35 vuln.today
Public exploit code
CVE Published
Jun 25, 2025 - 16:15 nvd
HIGH 7.3

Tags

PHP SQLi Inventory Management System

Description

A vulnerability was found in code-projects Inventory Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /php_action/createBrand.php. The manipulation of the argument brandStatus leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6611 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/createBrand.php endpoint via the brandStatus parameter. The vulnerability allows unauthenticated remote attackers to manipulate SQL queries, potentially resulting in unauthorized data access, modification, or deletion. Public exploit disclosure and active exploitation risk are confirmed.

Technical Context

The vulnerability exists in PHP-based web application code (specifically createBrand.php) that fails to properly sanitize or parameterize user input in the brandStatus parameter before constructing SQL queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') vulnerability. The root cause is likely missing input validation, lack of prepared statements, or inadequate escaping of SQL special characters. The affected product is code-projects Inventory Management System v1.0, a PHP-based inventory management application. The attack surface is exposed through a publicly accessible web endpoint with no authentication requirement (PR:N in CVSS).

Affected Products

- vendor: code-projects; product: Inventory Management System; affected_versions: ['1.0']; vulnerable_component: /php_action/createBrand.php; vulnerable_parameter: brandStatus; attack_vector: Network

Remediation

- IMMEDIATE: Disable or restrict access to /php_action/createBrand.php via web application firewall (WAF) rules until patch is available. - Apply input validation: Implement strict whitelisting for brandStatus parameter (e.g., only allow alphanumeric characters or specific enum values). - Use prepared statements/parameterized queries: Replace all direct SQL string concatenation with parameterized queries using bound variables in PHP (MySQLi prepared statements or PDO prepared statements). - Implement output encoding: Ensure all user input is properly escaped using context-appropriate escaping functions (e.g., mysqli_real_escape_string or prepared statements). - Monitor vendor advisories: Check code-projects official repository/website for security patches to Inventory Management System v1.0. If no patch is available, consider migrating to a maintained alternative or hardening via WAF rules. - Apply principle of least privilege: Ensure database user executing createBrand.php queries has minimal required permissions (no DROP/ALTER TABLE rights). - Conduct security testing: Perform SQL injection testing on all similar endpoints (other /php_action/*.php files with user-controlled parameters) to identify related vulnerabilities.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6611 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy