Campcodes Courier Management System CVE-2025-8190
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, has been found in Campcodes Courier Management System 1.0. This issue affects some unknown processing of the file /print_pdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Campcodes Courier Management System 1.0 via the ids parameter in /print_pdets.php allows authenticated remote attackers to execute arbitrary SQL queries with limited impact. Despite critical classification, the CVSS v4.0 score of 2.1 reflects low confidentiality, integrity, and availability impact; EPSS exploitation probability is minimal at 0.06% (19th percentile), and the vulnerability requires valid user authentication to trigger.
Technical ContextAI
The vulnerability exists in a PHP-based courier management application where user-supplied input from the ids parameter is processed by /print_pdets.php without proper sanitization or parameterized query protection. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) instance where SQL metacharacters in the ids argument are injected directly into SQL query construction. The affected product is a web application (CPE: cpe:2.3:a:campcodes:courier_management_system:1.0:*:*:*:*:*:*:*) likely used for logistics or parcel tracking operations.
RemediationAI
Immediate action: upgrade to a patched version if available from Campcodes (visit https://www.campcodes.com/ for vendor advisories). If patches are unavailable, implement the following compensating controls: (1) Apply Web Application Firewall (WAF) rules to block SQL injection payloads in the ids parameter using signature-based detection for common SQL keywords (UNION, SELECT, OR, etc.)-trade-off is potential false positives on legitimate data; (2) Restrict access to /print_pdets.php to specific IP ranges or VPN-only to limit attacker reach-trade-off reduces functionality for remote users; (3) Implement database user privilege restrictions so the application database account has SELECT-only permissions rather than INSERT/UPDATE/DELETE, limiting data exfiltration and modification scope. Review and migrate to a modern courier management platform with input validation and parameterized queries if vendor support is unavailable.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today