CVE-2025-10415 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Grocery Sales and Inventory System. The vulnerability resides in the /ajax.php endpoint, specifically when handling the 'save_supplier' action. An attacker can manipulate the 'ID' parameter in the HTTP request to inject malicious SQL code. This injection flaw allows unauthorized remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is limited (VC:L, VI:L, VA:L), indicating that while the attacker can potentially read, modify, or delete some data, the scope and severity of damage are somewhat constrained. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity. Although no known exploits are currently reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The lack of an available patch or mitigation from the vendor at this time further elevates the threat. SQL Injection vulnerabilities are critical because they can lead to unauthorized data access, data corruption, or denial of service, depending on the database and application context. Given that this system manages grocery sales and inventory, exploitation could disrupt business operations, compromise supplier or inventory data, and potentially lead to financial losses or reputational damage.

For European organizations using Campcodes Grocery Sales and Inventory System 1.0, this vulnerability poses a tangible risk to operational continuity and data security. Exploitation could allow attackers to access sensitive supplier and inventory data, manipulate sales records, or disrupt inventory management processes. This could result in inaccurate stock levels, financial discrepancies, and supply chain interruptions. Retailers and grocery businesses relying on this system may face direct financial losses, regulatory compliance issues (especially under GDPR if personal data is involved), and damage to customer trust. Furthermore, attackers could leverage the vulnerability as a foothold to pivot into broader corporate networks, potentially escalating the impact beyond the inventory system. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, particularly if the system is exposed to the internet or poorly segmented within internal networks.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, restrict access to the /ajax.php endpoint by applying network-level controls such as IP whitelisting or VPN-only access to limit exposure. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter. Conduct thorough input validation and sanitization on all parameters, especially those interacting with the database, to prevent injection. Review and harden database permissions to ensure the application account has the least privileges necessary, minimizing potential damage from exploitation. Monitor logs for unusual or suspicious activity related to the 'save_supplier' action. Additionally, organizations should engage with the vendor to obtain patches or updates and plan for an upgrade once available. Regular security assessments and penetration testing focusing on this vector are recommended to verify the effectiveness of mitigations.