EUVD-2025-18838

| CVE-2025-6468 HIGH
2025-06-22 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 21:55 euvd
EUVD-2025-18838
Analysis Generated
Mar 15, 2026 - 21:55 vuln.today
PoC Detected
Jun 27, 2025 - 16:37 vuln.today
Public exploit code
CVE Published
Jun 22, 2025 - 08:15 nvd
HIGH 7.3

Tags

PHP SQLi Remote Code Execution Online Bidding System

Description

A vulnerability was found in code-projects Online Bidding System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /bidnow.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6468 is a critical SQL injection vulnerability in code-projects Online Bidding System version 1.0 affecting the /bidnow.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete database contents, potentially compromising confidentiality, integrity, and availability of the entire bidding system. The vulnerability has been publicly disclosed with proof-of-concept code available, significantly increasing exploitation risk in active deployments.

Technical Context

The vulnerability stems from improper input validation and use of unsanitized user-supplied data in SQL queries (CWE-74: Improper Neutralization of Special Elements used in an Output). The /bidnow.php file processes an 'ID' parameter without adequate parameterized query protection or input validation, allowing SQL metacharacters to be injected directly into database queries. The Online Bidding System is a web-based PHP application likely using a relational database backend (MySQL/MariaDB). The attack vector is network-based with no authentication required (AV:N/PR:N), indicating direct exploitation through HTTP requests to the vulnerable endpoint.

Affected Products

code-projects Online Bidding System version 1.0 - all installations. The vulnerable component is /bidnow.php. No CPE identifier was provided in the source data, but the affected software can be identified as: Product: Online Bidding System, Vendor: code-projects, Version: 1.0, Component: bidnow.php. All deployments of this version are potentially vulnerable regardless of underlying OS or web server configuration, as the vulnerability resides in the application layer.

Remediation

Immediate remediation steps: (1) Update to a patched version of code-projects Online Bidding System if available—contact vendor for patch availability; (2) Apply input validation and output encoding to the ID parameter in /bidnow.php, using prepared statements/parameterized queries to separate SQL code from data; (3) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the ID parameter; (4) Disable or restrict access to /bidnow.php via IP whitelisting until patched; (5) Conduct database activity logging and monitor for exploitation attempts (look for SQL keywords in ID parameter values). No specific vendor advisory link was provided in the source data—contact code-projects directly for official patch guidance.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-18838 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy