EUVD-2025-18825

| CVE-2025-6446 HIGH
2025-06-21 [email protected]
PHP SQLi Client Details System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-18825
PoC Detected
Oct 29, 2025 - 16:32 vuln.today
Public exploit code
CVE Published
Jun 21, 2025 - 23:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability, which was classified as critical, has been found in code-projects Client Details System 1.0. This issue affects some unknown processing of the file /clientdetails/admin/index.php. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

A critical SQL injection vulnerability exists in code-projects Client Details System version 1.0, specifically in the /clientdetails/admin/index.php file where the Username parameter is improperly validated. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit code available and demonstrates moderate real-world risk despite the critical classification, with a CVSS score of 7.3 indicating concrete but not maximum severity.

Technical ContextAI

The vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection'), specifically manifesting as SQL injection. The Client Details System application fails to properly sanitize or parameterize the Username input parameter before incorporating it into SQL query construction in the /clientdetails/admin/index.php administrative interface. This is a classic improper input validation flaw where user-supplied data is concatenated directly into SQL statements without escaping, prepared statements, or input validation. The affected technology stack involves PHP-based web application processing with backend SQL database interaction, likely MySQL or similar RDBMS.

RemediationAI

Immediate remediation steps: (1) Apply vendor patch if available from code-projects; check their official website/repositories for security updates to version 1.1 or later; (2) If no patch is immediately available, implement input validation: use prepared statements/parameterized queries for all SQL operations involving the Username parameter; (3) Input sanitization: whitelist acceptable Username characters (alphanumeric, common separators); reject special SQL metacharacters; (4) Web Application Firewall (WAF) rules: deploy WAF signatures blocking common SQL injection patterns (UNION, SELECT, OR 1=1, etc.) targeting /clientdetails/admin/index.php; (5) Temporary mitigation: restrict /clientdetails/admin/ access via network/firewall rules to trusted IP addresses only; (6) Database-level: implement least-privilege database user accounts with minimal required SQL permissions; (7) Monitoring: implement SQL query logging and anomaly detection to identify exploitation attempts; (8) Long-term: migrate away from code-projects Client Details System 1.0 if vendor does not provide timely security updates, as legacy software with this vulnerability class presents sustained risk.

Share

EUVD-2025-18825 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy