EUVD-2025-21268
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability, which was classified as critical, was found in code-projects Online Appointment Booking System 1.0. Affected is an unknown function of the file /getclinic.php. The manipulation of the argument townid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Analysis
CVE-2025-7540 is a critical SQL injection vulnerability in code-projects Online Appointment Booking System 1.0 affecting the /getclinic.php file's townid parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the database. The vulnerability has been publicly disclosed with exploit code available, creating immediate operational risk for deployed instances.
Technical Context
The vulnerability exists in the Online Appointment Booking System (a PHP-based web application), specifically in the /getclinic.php endpoint which likely queries clinic data filtered by geographic location (townid parameter). The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating insufficient input validation/sanitization before SQL query construction. The townid parameter is passed directly into SQL statements without prepared statements or parameterized queries. This is a classic second-order SQL injection or direct SQL injection scenario where user input flows unsanitized into database queries. PHP applications using mysqli or PDO without proper prepared statement usage are particularly susceptible.
Affected Products
code-projects Online Appointment Booking System version 1.0 and potentially earlier versions. The specific affected component is /getclinic.php. CPE data is not explicitly provided in the source, but the product would be: cpe:2.3:a:code-projects:online_appointment_booking_system:1.0:*:*:*:*:*:*:*. Versions after 1.0 may also be affected unless patches have been released. The application appears to be a web-based clinic/appointment management system written in PHP.
Remediation
1) IMMEDIATE: Apply input validation and sanitization to the townid parameter—implement allowlist validation (e.g., numeric-only if townid should be numeric) before SQL usage. 2) PRIMARY FIX: Refactor /getclinic.php to use parameterized queries/prepared statements with bound parameters (mysqli prepared statements or PDO prepared statements) instead of string concatenation for SQL construction. 3) Update to the latest patched version of Online Appointment Booking System once released by code-projects. 4) SHORT-TERM MITIGATION: Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the townid parameter (e.g., block payloads containing SQL keywords: UNION, SELECT, OR 1=1). 5) Apply principle of least privilege to database user credentials used by the application. 6) No vendor advisory URL was provided; check code-projects official repository or security advisories for patch availability. 7) Conduct code review of all similar parameter handling throughout the application.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today