EUVD-2025-18397

| CVE-2025-6124 HIGH
2025-06-16 [email protected]
PHP SQLi Restaurant Order System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18397
PoC Detected
Aug 22, 2025 - 19:37 vuln.today
Public exploit code
CVE Published
Jun 16, 2025 - 14:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability was found in code-projects Restaurant Order System 1.0 and classified as critical. This issue affects some unknown processing of the file /tablelow.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Critical SQL injection vulnerability in code-projects Restaurant Order System version 1.0, affecting the /tablelow.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of the restaurant database. The vulnerability has been publicly disclosed with proof-of-concept availability, increasing real-world exploitation risk.

Technical ContextAI

This vulnerability stems from improper input validation and parameterization in SQL query construction, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection). The /tablelow.php endpoint fails to properly sanitize or parameterize the 'ID' parameter before incorporating it into SQL queries. Typical vulnerable patterns include string concatenation of user input directly into SQL statements without prepared statements or parameterized queries. The Restaurant Order System 1.0 likely uses PHP with direct database queries (MySQL/MariaDB) without modern ORM protections or input validation libraries. The affected component processes table-related data (suggested by filename 'tablelow'), making restaurant inventory, orders, and customer data potential targets.

RemediationAI

Immediate remediation steps: (1) Apply input validation - implement whitelist-based validation for the ID parameter to accept only numeric values using regex or type casting (e.g., intval() in PHP); (2) Use parameterized queries - replace all string concatenation SQL statements with prepared statements using mysqli prepared statements or PDO prepared statements with parameter binding; (3) Implement prepared statement example: 'SELECT * FROM tables WHERE id = ?' with bind_param() or execute() with parameter arrays; (4) Apply principle of least privilege - database user accounts should have minimal required permissions, not full administrative access; (5) Enable SQL error suppression in production to prevent information disclosure; (6) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the ID parameter as interim protection; (7) Contact code-projects for available security patches - check repository or vendor website for version 1.1+ releases; (8) If no patch is available, consider migrating to maintained alternatives like open-source restaurant management systems with active security support (e.g., Odoo POS, Dolibarr); (9) Implement database activity monitoring and query logging to detect exploitation attempts.

Share

EUVD-2025-18397 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy