CVE-2025-13582 identifies a SQL injection vulnerability in the code-projects Jonnys Liquor 1.0 application, specifically in the /detail.php file's GET parameter handler for the 'Product' argument. The vulnerability arises from improper sanitization of user-supplied input, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. The flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data disclosure, data modification, or denial of service through database corruption or crashes. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction needed, and partial impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, a public exploit is available, increasing the risk of attacks. The vulnerability affects only version 1.0 of Jonnys Liquor, and no official patches have been published yet. The lack of secure coding practices such as parameterized queries or input validation in the affected component is the root cause. Organizations using this software should consider immediate mitigations to prevent exploitation while awaiting official patches.

For European organizations, exploitation of this SQL injection vulnerability could lead to significant data breaches, including exposure of customer data, pricing, inventory, or transactional records. This could result in financial losses, regulatory penalties under GDPR for data exposure, and reputational damage. Integrity of business data could be compromised, leading to incorrect inventory or sales records, impacting operational decisions. Availability of the application could be disrupted if attackers execute commands causing database crashes or lockups. Retailers and distributors using Jonnys Liquor software are particularly at risk, as attackers could manipulate product details or pricing information. The remote, unauthenticated nature of the vulnerability increases the likelihood of exploitation attempts, especially given the public availability of an exploit. Organizations may also face compliance issues if sensitive personal or payment data is exposed due to this flaw.

1. Immediately implement input validation and sanitization on the 'Product' GET parameter to block malicious SQL syntax. 2. Refactor the vulnerable code to use parameterized queries or prepared statements to prevent SQL injection. 3. Restrict database user permissions to the minimum necessary, avoiding use of high-privilege accounts for application queries. 4. Monitor database logs and application logs for unusual query patterns or errors indicative of injection attempts. 5. Employ Web Application Firewalls (WAFs) with rules targeting SQL injection signatures to provide an additional layer of defense. 6. If patching is not immediately available, consider temporarily disabling or restricting access to the vulnerable /detail.php endpoint. 7. Conduct security audits and code reviews to identify and remediate similar injection flaws elsewhere in the application. 8. Educate developers on secure coding practices to prevent recurrence. 9. Prepare incident response plans to quickly address any exploitation attempts. 10. Stay updated with vendor advisories for official patches or updates.