EUVD-2025-21269CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability, which was classified as critical, has been found in code-projects Online Appointment Booking System 1.0. This issue affects some unknown processing of the file /getdoctordaybooking.php. The manipulation of the argument cid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-7539 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System version 1.0, specifically in the /getdoctordaybooking.php file via the 'cid' parameter. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. Exploitation has been publicly disclosed with proof-of-concept availability, and the vulnerability may be actively exploited in the wild.
Technical Context
The vulnerability exists in the Online Appointment Booking System, a web-based PHP application typically deployed on Apache/Nginx servers with MySQL/MariaDB backends. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), manifesting as SQL injection through inadequate input validation and sanitization. The /getdoctordaybooking.php endpoint fails to properly parameterize or escape the 'cid' (likely 'clinic_id' or similar) parameter before incorporating it into SQL queries. CPE identification: cpe:2.3:a:code-projects:online_appointment_booking_system:1.0:*:*:*:*:*:*:*. The affected component processes database queries without using prepared statements or parameterized queries, allowing attackers to break out of intended query context and inject malicious SQL syntax.
Affected Products
code-projects Online Appointment Booking System version 1.0 and potentially earlier versions not explicitly documented. The vulnerability affects all installations of this specific product version running on any web server/database combination (Linux/Windows with Apache/Nginx and MySQL/MariaDB). No evidence of vendor patches or version updates provided in available references; vendor responsiveness and patch availability status is unknown. Organizations using this product should immediately audit deployment inventory. No official vendor advisory URL is confirmed available.
Remediation
Immediate actions: (1) Disable or restrict network access to /getdoctordaybooking.php via WAF rules or firewall ACLs until patching is possible; (2) Implement input validation requiring 'cid' parameter to match expected numeric/alphanumeric pattern only, rejecting special SQL characters; (3) Update to a patched version if code-projects releases one (check project repository/vendor site); (4) If no patch available, implement parameterized queries using PHP prepared statements with mysqli or PDO; (5) Apply principle of least privilege to database user executing queries—restrict to SELECT-only permissions where possible; (6) Deploy SQL injection detection signatures in WAF/IDS; (7) Conduct immediate database audit for signs of compromise (examine query logs, check for unauthorized data access/modification). If patch availability is unclear, contact code-projects vendor directly for security advisory and timeline.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today