EUVD-2025-18840

| CVE-2025-6472 HIGH
2025-06-22 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 21:55 euvd
EUVD-2025-18840
Analysis Generated
Mar 15, 2026 - 21:55 vuln.today
PoC Detected
Jun 27, 2025 - 16:56 vuln.today
Public exploit code
CVE Published
Jun 22, 2025 - 10:15 nvd
HIGH 7.3

Tags

PHP SQLi Online Bidding System

Description

A vulnerability, which was classified as critical, has been found in code-projects Online Bidding System 1.0. Affected by this issue is some unknown functionality of the file /showprod.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6472 is a critical SQL injection vulnerability in code-projects Online Bidding System 1.0 affecting the /showprod.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with exploit code available, creating immediate risk for exposed instances.

Technical Context

The vulnerability stems from improper input validation on the ID parameter in /showprod.php, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The root cause is insufficient parameterization or escaping of user-supplied input before incorporation into SQL queries. The Online Bidding System, a PHP-based e-commerce application, directly concatenates user input into SQL statements without proper prepared statements or parameterized queries. This allows attackers to inject arbitrary SQL syntax through the ID parameter, bypassing authentication mechanisms entirely (PR:N) and requiring no user interaction (UI:N).

Affected Products

code-projects Online Bidding System version 1.0 (CPE: cpe:/a:code-projects:online_bidding_system:1.0). The vulnerability specifically targets installations with the /showprod.php file accessible via HTTP/HTTPS on the default or custom web application path. All deployment configurations of this version are affected due to the lack of authentication requirements and the central nature of the product listing functionality.

Remediation

Immediate actions: (1) Disable or restrict access to /showprod.php via web application firewall rules if patching cannot be performed immediately; (2) Implement input validation on the ID parameter to accept only numeric values using whitelist patterns; (3) Upgrade to the latest patched version of Online Bidding System (vendor should provide patch details—check code-projects official repository/advisory); (4) Implement parameterized queries or prepared statements throughout the application; (5) Apply principle of least privilege to database user credentials used by the application. Long-term: migrate to actively maintained e-commerce platforms with security-by-design principles.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-18840 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy