EUVD-2025-21347Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability classified as critical has been found in code-projects AVL Rooms 1.0. This affects an unknown part of the file /city.php. The manipulation of the argument city leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7606 is a critical SQL injection vulnerability in code-projects AVL Rooms 1.0 affecting the /city.php file, where the 'city' parameter is improperly sanitized, allowing remote unauthenticated attackers to execute arbitrary SQL queries. The vulnerability has a CVSS score of 7.3 (High) with confirmed public exploit disclosure and active exploitation potential, enabling attackers to read, modify, or delete database contents without authentication.
Technical ContextAI
This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), a direct subcategory of injection flaws. The root cause is insufficient input validation and output encoding in the PHP application's /city.php file, where user-supplied input from the 'city' parameter is concatenated directly into SQL queries without parameterized queries or prepared statements. The affected product is code-projects AVL Rooms version 1.0, a PHP-based web application (CPE: cpe:2.3:a:code-projects:avl_rooms:1.0:*:*:*:*:*:*:*). The vulnerability exploits typical SQL injection patterns where special characters and SQL syntax are passed through unsanitized HTTP parameters to manipulate backend database logic.
RemediationAI
{'type': 'Patch', 'description': 'Upgrade to a patched version of AVL Rooms if available from code-projects. Check vendor advisory for specific patch version (information not provided in CVE data; contact vendor directly).'} {'type': 'Immediate Mitigation (if patching unavailable)', 'steps': ["Implement input validation: Whitelist allowed characters for the 'city' parameter (alphanumeric, spaces, hyphens only)", 'Use parameterized queries/prepared statements in /city.php to separate SQL code from data: use mysqli_prepare() or PDO prepared statements instead of string concatenation', 'Apply output encoding to prevent second-order SQL injection', "Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the 'city' parameter", 'Run queries with minimal necessary database privileges (principle of least privilege)', 'Enable SQL error suppression to prevent information disclosure']} {'type': 'Detection', 'steps': ['Monitor application logs for SQL error messages and unusual database queries', 'Implement IDS/IPS signatures for SQL injection attacks targeting /city.php', 'Review database access logs for unexpected query patterns']}
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today