Food Review System CVE-2025-8165
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Food Review System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/approve_reservation.php. The manipulation of the argument occasion leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in code-projects Food Review System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the occasion parameter in /admin/approve_reservation.php, resulting in limited data confidentiality and integrity impact. Despite a critical classification in the source database, the CVSS 4.0 score of 2.1 reflects the requirement for authenticated access (PR:L) and limited technical impact scope. Publicly available exploit code exists and the vulnerability has been publicly disclosed.
Technical ContextAI
The vulnerability exists in a PHP-based food ordering and review system where user-supplied input (the occasion parameter) is not properly sanitized before being used in SQL queries. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates insufficient input validation/parameterization, a classic SQL injection vector. The affected endpoint /admin/approve_reservation.php processes administrative reservation approval logic without adequate prepared statements or input escaping. The CPE identifies the specific product as carmelo/food_ordering_review_system version 1.0.
RemediationAI
Upgrade to a patched version of Food Review System if available from the vendor at https://code-projects.org/; however, no specific patched version number is publicly documented in available references. As an immediate compensating control, restrict access to /admin/approve_reservation.php to a whitelist of trusted administrative IP addresses or implement a Web Application Firewall (WAF) rule to block SQL injection patterns in the occasion parameter (e.g., detect single quotes, UNION keywords, or comment sequences). Audit all database queries in the approve_reservation.php file and replace vulnerable string concatenation with parameterized prepared statements using bound parameters in PHP PDO or mysqli. Review application logs for suspicious SQL patterns in the occasion field for evidence of attempted exploitation. Contact the vendor (carmelo) directly for security update guidance, as https://code-projects.org/ references may not yet reflect patched releases.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today