EUVD-2025-21361

| CVE-2025-7509 HIGH
2025-07-13 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2025-21361
PoC Detected
Jul 15, 2025 - 17:45 vuln.today
Public exploit code
CVE Published
Jul 13, 2025 - 01:15 nvd
HIGH 7.3

Tags

PHP SQLi Remote Code Execution Modern Bag

Description

A vulnerability, which was classified as critical, was found in code-projects Modern Bag 1.0. This affects an unknown part of the file /admin/slide.php. The manipulation of the argument idSlide leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7509 is a critical SQL injection vulnerability in code-projects Modern Bag 1.0 affecting the /admin/slide.php endpoint via the idSlide parameter. An unauthenticated remote attacker can exploit this with no user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

Technical Context

This vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection), specifically manifesting as SQL injection. The /admin/slide.php file fails to properly sanitize or parameterize user input from the idSlide parameter before incorporating it into SQL queries. Modern Bag is a PHP-based content management or e-commerce system, and the vulnerable endpoint handles slide management functionality typically found in admin dashboards. The lack of input validation allows attackers to inject malicious SQL syntax that executes within the database context of the application.

Affected Products

Affected Product: code-projects Modern Bag, Version: 1.0. CPE would be: cpe:2.3:a:code-projects:modern_bag:1.0:*:*:*:*:*:*:*. No later versions are confirmed as patched based on the advisory data provided. The vulnerability specifically affects the administrative interface at /admin/slide.php, suggesting installations with exposed admin panels are immediately at risk.

Remediation

Immediate Actions: (1) Upgrade code-projects Modern Bag to version 1.1 or later if available from the vendor, (2) If no patched version exists, apply input validation and parameterized queries to the idSlide parameter in /admin/slide.php - use prepared statements or parameterized SQL queries rather than string concatenation, (3) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the /admin/slide.php endpoint, (4) Restrict access to /admin/ paths via IP whitelisting or authentication-before-routing, (5) Apply principle of least privilege to database user accounts used by the application. Contact code-projects directly for vendor advisory and patch availability; no specific patch URL provided in current data.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-21361 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy