EUVD-2025-19109
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability was found in code-projects Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /php_action/removeCategories.php. The manipulation of the argument categoriesId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-6612 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/removeCategories.php endpoint. An unauthenticated remote attacker can manipulate the 'categoriesId' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available and demonstrates active exploitation potential with a CVSS 7.3 score indicating moderate-to-high severity.
Technical Context
This vulnerability exists in a PHP-based Inventory Management System where user-supplied input (categoriesId parameter) is improperly validated and directly incorporated into SQL queries without parameterized prepared statements or proper escaping. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), representing a classic SQL injection flaw. The vulnerable endpoint /php_action/removeCategories.php processes category deletion operations, and the lack of input sanitization allows attackers to break out of intended SQL syntax and inject malicious SQL commands. The absence of stored procedures or parameterized queries indicates the code likely uses string concatenation for query building.
Affected Products
Product: code-projects Inventory Management System; Affected Version: 1.0; Vulnerable Component: /php_action/removeCategories.php; Parameter: categoriesId. No specific CPE identifier was provided in standard sources, but the product can be referenced as: code-projects Inventory Management System v1.0. Affected organizations likely include small-to-medium businesses using this open-source or commercial inventory solution. The lack of version specification for patched releases suggests either: (a) no patch has been released by the vendor, or (b) the vendor has not issued a formal advisory. Organizations running version 1.0 should be considered at immediate risk.
Remediation
Immediate actions: (1) Implement input validation on the categoriesId parameter - whitelist only valid numeric identifiers and reject any input containing SQL metacharacters; (2) Use parameterized prepared statements (prepared queries with bound parameters) for all database interactions in removeCategories.php; (3) Apply principle of least privilege to database user accounts - ensure the PHP application's database credentials have minimal required permissions; (4) Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in category-related parameters; (5) Upgrade to patched version if available from code-projects vendor (check project repository/advisory page); (6) As interim mitigation, disable or restrict access to /php_action/removeCategories.php at the web server level using .htaccess or nginx configuration if the functionality is not immediately required. Long-term: refactor the entire application to use an ORM framework (Laravel Eloquent, Doctrine) that enforces parameterized queries by default.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today