EUVD-2025-19069

| CVE-2025-6579 HIGH
2025-06-24 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19069
PoC Detected
Jul 11, 2025 - 15:52 vuln.today
Public exploit code
CVE Published
Jun 24, 2025 - 20:15 nvd
HIGH 7.3

Tags

PHP SQLi Car Rental System

Description

A vulnerability was found in code-projects Car Rental System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /message_admin.php. The manipulation of the argument Message leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6579 is a critical SQL injection vulnerability in code-projects Car Rental System 1.0 affecting the /message_admin.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available and may be actively exploited in the wild.

Technical Context

The vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically SQL injection. The /message_admin.php endpoint fails to properly sanitize or parameterize user-supplied input in the 'Message' parameter before incorporating it into SQL queries. This is a classic web application vulnerability where user input is concatenated directly into SQL statements without escaping or using prepared statements. The affected product is code-projects Car Rental System version 1.0, a PHP-based web application commonly used for managing vehicle rental operations. The vulnerability exists in a message administration functionality, likely used for handling customer messages or internal communication, making it a direct entry point for attackers.

Affected Products

Product: code-projects Car Rental System, Version: 1.0, Affected Component: /message_admin.php, Vulnerable Parameter: Message. CPE designation would be: cpe:2.3:a:code-projects:car_rental_system:1.0:*:*:*:*:*:*:*. This appears to be an open-source or community project with limited vendor infrastructure. The vulnerability affects all installations of Car Rental System 1.0 without security patches applied, particularly those exposed to untrusted networks or public internet access.

Remediation

Immediate actions: (1) Apply input validation and parameterization: Replace all direct SQL string concatenation in /message_admin.php with prepared statements or parameterized queries using PHP PDO or mysqli prepared statements. (2) Implement output encoding and input validation for the Message parameter using whitelisting and sanitization functions. (3) Apply principle of least privilege to database user accounts executing queries from this endpoint. (4) Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the Message parameter as a temporary mitigation. Long-term: Upgrade to a patched version if available from the vendor (check code-projects project repository for updates beyond v1.0). If no patch exists, conduct thorough code review of all user input handling in the application. Implement comprehensive input validation across the entire application following OWASP Top 10 guidelines.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-19069 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy