CVE-2025-7471

| EUVD-2025-21218 HIGH
2025-07-12 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 08:56 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 08:56 euvd
EUVD-2025-21218
PoC Detected
Jul 15, 2025 - 14:32 vuln.today
Public exploit code
CVE Published
Jul 12, 2025 - 12:15 nvd
HIGH 7.3

Tags

PHP SQLi Modern Bag

Description

A vulnerability was found in code-projects Modern Bag 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/login-back.php. The manipulation of the argument user-name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7471 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0 affecting the /admin/login-back.php endpoint. An unauthenticated remote attacker can inject malicious SQL code via the 'user-name' parameter to compromise confidentiality, integrity, and availability of the application and underlying database. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing real-world exploitation risk.

Technical Context

This vulnerability stems from improper input validation and parameterization in the login authentication mechanism. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output), though the actual exploitation vector appears to be CWE-89 (SQL Injection). The vulnerable code path processes user-supplied input from the 'user-name' parameter directly into SQL queries without proper prepared statements or parameterized query execution. Modern Bag 1.0 is a PHP-based application (inferred from .php extension), and the vulnerability likely exists in the authentication handler before privilege checks occur. The attack surface is the publicly accessible admin login interface, which makes the unauthenticated attack vector feasible.

Affected Products

Modern Bag

Remediation

Immediate Mitigation: Restrict network access to /admin/login-back.php via firewall rules or WAF; limit admin interface exposure to known IP ranges only Application-Level Workaround: Implement input validation regex: reject user-name parameters containing SQL metacharacters (single quotes, double quotes, semicolons, dashes, asterisks). Deploy a WAF rule to block SQL keywords (SELECT, UNION, DROP, etc.) in the user-name field Code-Level Patch: Replace all SQL query concatenation in login-back.php with parameterized prepared statements using bound variables (mysqli prepared statements or PDO parameterized queries). Example: use prepared statement with ? placeholders instead of string interpolation Version Update: Check code-projects official repository/advisories for Modern Bag version >1.0 patch release. If unavailable, consider alternative admin authentication libraries Detection & Monitoring: Enable SQL error logging; monitor for unusual query patterns in database logs; set IDS/IPS signatures to detect SQL injection payloads (UNION, OR 1=1, stacked queries) in admin login POST requests

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: +20

Share

CVE-2025-7471 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy