EUVD-2025-21203

| CVE-2025-7461 HIGH
2025-07-12 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 08:56 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 08:56 euvd
EUVD-2025-21203
PoC Detected
Jul 15, 2025 - 18:34 vuln.today
Public exploit code
CVE Published
Jul 12, 2025 - 05:15 nvd
HIGH 7.3

Tags

PHP SQLi Modern Bag

Description

A vulnerability was found in code-projects Modern Bag 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /action.php. The manipulation of the argument proId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7461 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0, located in the /action.php file's proId parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially access, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the CVSS 7.3 score reflects moderate confidentiality, integrity, and availability impact; however, the attack requires no authentication or user interaction, making it immediately exploitable in network-accessible deployments.

Technical Context

Modern Bag 1.0 is a PHP-based application that fails to properly sanitize user input in the proId parameter passed to /action.php, allowing SQL injection via CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The vulnerable code path likely constructs SQL queries through direct string concatenation of the proId parameter without using prepared statements or parameterized queries. This is a classic web application vulnerability where user-controlled input is treated as executable SQL code rather than data, enabling attackers to alter query logic, extract sensitive data, or modify database records.

Affected Products

code-projects Modern Bag version 1.0 (all deployments). CPE designation would be approximately cpe:2.3:a:code-projects:modern_bag:1.0:*:*:*:*:*:*:*. No patch version information is provided in the vulnerability description, suggesting either no patched version has been released or the vendor has not published official updates. End-of-life or unsupported status of Modern Bag 1.0 should be verified with the vendor.

Remediation

1) IMMEDIATE: If running Modern Bag 1.0 in production, isolate or take offline pending patched version availability. 2) Contact code-projects vendor directly for patch status and expected release timeline. 3) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in proId parameter (e.g., blocking SQL keywords like UNION, SELECT, DROP in this parameter). 4) Apply strict input validation: whitelist acceptable proId values (e.g., numeric-only if product IDs are numeric). 5) Upgrade to patched Modern Bag version once available from vendor. 6) If no patch is forthcoming, consider replacing Modern Bag with a maintained alternative that implements secure coding practices (parameterized queries, input validation, principle of least privilege for database accounts). 7) Review database access logs for signs of exploitation.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-21203 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy