EUVD-2025-21333Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Job Diary 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /view-cad.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
A critical SQL injection vulnerability exists in code-projects Job Diary 1.0 via the ID parameter in /view-cad.php, allowing unauthenticated remote attackers to execute arbitrary SQL commands and potentially extract, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, and while the CVSS score is 7.3 (High), the unauthenticated attack vector and low complexity suggest active exploitation is likely. No patch has been confirmed available as of this analysis.
Technical ContextAI
Job Diary 1.0 is a PHP-based web application (CPE likely: cpe:2.3:a:code-projects:job_diary:1.0:*:*:*:*:*:*:*). The vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, 'Injection'), specifically SQL injection (CWE-89). The /view-cad.php endpoint fails to properly sanitize or parameterize the ID parameter before incorporating it into SQL queries. This is a classic first-order SQL injection vulnerability where user-supplied input is directly concatenated into SQL statements without using prepared statements or proper input validation.
RemediationAI
{'type': 'Primary', 'action': 'Apply vendor patch or upgrade', 'details': 'Contact code-projects for patched version > 1.0. Check project repository (if public) for security updates. Upgrade immediately if patch is available.'} {'type': 'Immediate (Pre-Patch)', 'action': 'Implement parameterized queries', 'details': "Modify /view-cad.php to use prepared statements (mysqli prepared statements or PDO with bound parameters) for all SQL queries involving the ID parameter. Example: $stmt = $mysqli->prepare('SELECT * FROM table WHERE ID = ?'); $stmt->bind_param('i', $_GET['ID']); $stmt->execute();"} {'type': 'Input Validation', 'action': 'Whitelist ID parameter format', 'details': "If ID is numeric, enforce integer-only validation: if (!ctype_digit($_GET['ID'])) { exit('Invalid ID'); }. Validate against expected data types before any database operation."} {'type': 'Network Segmentation', 'action': 'Restrict access to Job Diary', 'details': 'Place application behind WAF or IP whitelist. Disable /view-cad.php access if not currently required.'} {'type': 'Database Hardening', 'action': 'Principle of least privilege', 'details': 'Ensure database user running Job Diary queries has minimal required permissions. Disable statement-level backup/restore capabilities if possible.'}
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today