EUVD-2025-21239
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Tags
Description
A vulnerability, which was classified as critical, has been found in code-projects Modern Bag 1.0. Affected by this issue is some unknown functionality of the file /admin/product-update.php. The manipulation of the argument idProduct leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-7508 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/product-update.php endpoint, where the 'idProduct' parameter is improperly validated before database queries. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially exfiltrating sensitive data, modifying product information, or gaining further system access. The vulnerability has public exploit disclosure and active real-world exploitation is likely given the low attack complexity and lack of authentication requirements.
Technical Context
This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which encompasses SQL injection when user-supplied input is concatenated directly into SQL query strings without parameterization or proper escaping. The affected application uses PHP to handle administrative product updates; the vulnerable code path processes the 'idProduct' parameter from HTTP requests and inserts it into SQL queries against a backend database (likely MySQL/MariaDB). The root cause is the absence of prepared statements, input validation, or output encoding mechanisms. CPE specification would be 'cpe:2.3:a:code-projects:modern_bag:1.0:*:*:*:*:*:*:*', indicating the e-commerce/shopping cart application Modern Bag version 1.0 is affected.
Affected Products
[{'product': 'Modern Bag', 'vendor': 'code-projects', 'version': '1.0', 'cpe': 'cpe:2.3:a:code-projects:modern_bag:1.0:*:*:*:*:*:*:*', 'vulnerable_component': '/admin/product-update.php', 'vulnerable_parameter': 'idProduct', 'status': 'Vulnerable'}]
Remediation
[{'type': 'Immediate mitigation', 'action': 'If patching is unavailable, restrict network access to /admin/ paths via firewall, WAF rules, or authentication bypass controls. Implement input validation on the idProduct parameter to ensure only numeric values are accepted (e.g., regex: ^[0-9]+$).'}, {'type': 'Code-level fix', 'action': "Replace dynamic SQL query construction with prepared statements using parameterized queries (e.g., PHP PDO with placeholders or mysqli prepared statements). Example: Use $stmt = $pdo->prepare('UPDATE products SET ... WHERE id = ?'); $stmt->execute([$idProduct]); instead of string concatenation."}, {'type': 'Patch availability', 'action': 'Contact code-projects for a patched version >1.0. If no official patch exists, consider forking the project or migrating to a maintained e-commerce platform (e.g., WooCommerce, Shopify) with active security support.'}, {'type': 'Detection & response', 'action': 'Audit database logs for suspicious SQL queries containing UNION, SELECT, OR 1=1, etc. within product update requests. Deploy WAF signatures to block common SQL injection payloads targeting admin endpoints.'}, {'type': 'Post-exploitation', 'action': 'If compromise is suspected, rotate database credentials, audit user accounts created post-incident, review product/price modifications, and restore from clean backups.'}]
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today