EUVD-2025-18862

| CVE-2025-6500 HIGH
2025-06-23 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18862
PoC Detected
Jun 27, 2025 - 16:58 vuln.today
Public exploit code
CVE Published
Jun 23, 2025 - 03:15 nvd
HIGH 7.3

Tags

PHP SQLi Inventory Management System

Description

A vulnerability, which was classified as critical, has been found in code-projects Inventory Management System 1.0. Affected by this issue is some unknown functionality of the file /php_action/editCategories.php. The manipulation of the argument editCategoriesName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6500 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/editCategories.php file where the 'editCategoriesName' parameter is inadequately sanitized. An unauthenticated attacker can exploit this remotely to read, modify, or delete database contents, affecting confidentiality, integrity, and availability. Public exploit disclosure and confirmed proof-of-concept availability increase real-world risk significantly.

Technical Context

The vulnerability exists in a PHP-based Inventory Management System (CPE: cpe:2.3:a:code-projects:inventory_management_system:1.0:*:*:*:*:*:*:*) at the application entry point /php_action/editCategories.php. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically manifesting as SQL injection (CWE-89). The editCategoriesName parameter is passed directly into SQL queries without parameterized statements or input validation, allowing attackers to inject arbitrary SQL commands. This is a server-side code injection flaw in the PHP backend that directly impacts the database layer.

Affected Products

Inventory Management System (['1.0'])

Remediation

Update Inventory Management System to version 1.1 or later (if available from vendor). Contact code-projects for patched release or security advisories.; priority: Critical Workaround - Input Validation: Implement strict input validation on editCategoriesName: whitelist alphanumeric characters and safe symbols only; reject any input containing SQL keywords or special characters (quotes, semicolons, dashes, asterisks). Workaround - Prepared Statements: Rewrite the PHP code in editCategories.php to use prepared statements or parameterized queries (mysqli prepared statements or PDO prepared statements) instead of string concatenation for SQL queries. Workaround - WAF Rule: Deploy a Web Application Firewall (WAF) rule to block requests to /php_action/editCategories.php containing SQL injection payloads (e.g., keywords: UNION, SELECT, DROP, INSERT, DELETE when present in editCategoriesName parameter). Workaround - Least Privilege: Configure database user account running PHP application with minimal required permissions (no DROP, DELETE on critical tables if category edits only require INSERT/UPDATE). Monitoring: Monitor application logs and database query logs for unusual SQL patterns or failed queries to /php_action/editCategories.php; implement IDS/IPS signatures for CVE-2025-6500.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-18862 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy