EUVD-2025-21243

| CVE-2025-7514 HIGH
2025-07-13 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2025-21243
PoC Detected
Jul 15, 2025 - 17:41 vuln.today
Public exploit code
CVE Published
Jul 13, 2025 - 04:15 nvd
HIGH 7.3

Tags

PHP SQLi Modern Bag

Description

A vulnerability was found in code-projects Modern Bag 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/contact-list.php. The manipulation of the argument idStatus leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

A SQL injection vulnerability exists in code-projects Modern Bag version 1.0, specifically in the /admin/contact-list.php file where the 'idStatus' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation likely.

Technical Context

This vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically manifesting as SQL injection in a web application context. The vulnerable code in /admin/contact-list.php fails to properly parameterize or sanitize the 'idStatus' parameter before incorporating it into SQL queries. Modern Bag 1.0 is a PHP-based project management or contact management application (based on file naming convention). The attack exploits the application's direct concatenation of user input into SQL statement construction, a fundamental input validation failure. CPE identifier would be: cpe:2.3:a:code-projects:modern_bag:1.0:*:*:*:*:*:*:* (or similar variation). The PHP application likely uses deprecated MySQL extensions or improper prepared statement implementation.

Affected Products

[{'vendor': 'code-projects', 'product': 'Modern Bag', 'affected_versions': ['1.0'], 'vulnerable_component': '/admin/contact-list.php', 'vulnerable_parameter': 'idStatus', 'cpe': 'cpe:2.3:a:code-projects:modern_bag:1.0:*:*:*:*:*:*:*'}]

Remediation

[{'type': 'Primary', 'action': 'Patch Application', 'description': 'Update Modern Bag to a patched version released by code-projects. Check official project repository/website for security updates beyond 1.0.'}, {'type': 'Immediate Workaround', 'action': 'Input Validation & Parameterization', 'description': 'Implement prepared statements/parameterized queries for all database interactions in /admin/contact-list.php. Replace direct SQL concatenation with parameterized query placeholders (e.g., PDO prepared statements or mysqli prepared statements in PHP).'}, {'type': 'Mitigation', 'action': 'Web Application Firewall (WAF) Rules', 'description': 'Deploy WAF rules to block SQL injection patterns in the idStatus parameter. Block requests containing SQL keywords (SELECT, UNION, OR, AND, DROP, etc.) in that parameter.'}, {'type': 'Mitigation', 'action': 'Access Control', 'description': 'Restrict access to /admin/ directory via IP whitelisting, require strong authentication, or move admin interface behind VPN/additional authentication layer until patched.'}, {'type': 'Detection', 'action': 'Input Sanitization', 'description': 'Apply SQL escaping functions (mysqli_real_escape_string or equivalent) as a temporary stopgap, though parameterized queries are the definitive solution.'}]

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-21243 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy