A vulnerability classified as critical was found in Campcodes Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /pages/product_update.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7538 is a vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically within the /pages/product_update.php file. The vulnerability arises from improper handling of the 'image' parameter, which allows an attacker to perform an unrestricted file upload. This means that an attacker can upload arbitrary files, including potentially malicious scripts, without authentication or user interaction, and remotely. The vulnerability is classified as critical due to the potential for remote exploitation and the ability to upload files that could lead to remote code execution or system compromise. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to medium, suggesting that while the vulnerability can be exploited remotely, the overall damage depends on the payload uploaded and subsequent attacker actions. No patches or mitigations have been published yet, and no known exploits are currently observed in the wild. However, public disclosure of the exploit details increases the risk of exploitation.

CVE Database V5

Detailed information about CVE-2025-7538: Unrestricted Upload in Campcodes Sales and Inventory System affecting Campcodes Sales and Inventory System. Get real-t

CVE-2025-7538: Unrestricted Upload in Campcodes Sales and Inventory System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7538: Unrestricted Upload in Campcodes Sales and Inventory System

A vulnerability classified as critical has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /pages/product_update.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7537 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically affecting an unspecified portion of the /pages/product_update.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which can be manipulated remotely by an unauthenticated attacker to inject malicious SQL commands. This flaw allows attackers to interfere with the application's database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. Although the CVSS 4.0 score is 6.9, categorized as medium severity, the potential impact on confidentiality, integrity, and availability of the system's data is significant due to the nature of SQL injection attacks. The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The lack of available patches or mitigation guidance from the vendor increases the urgency for affected organizations to implement protective measures. Given that the affected product is a sales and inventory system, exploitation could lead to exposure or manipulation of sensitive business data, including inventory records, sales transactions, and possibly customer information.

Detailed information about CVE-2025-7537: SQL Injection in Campcodes Sales and Inventory System affecting Campcodes Sales and Inventory System. Get real-time up

CVE-2025-7537: SQL Injection in Campcodes Sales and Inventory System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7537: SQL Injection in Campcodes Sales and Inventory System

A vulnerability was found in Campcodes Sales and Inventory System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /pages/receipt_credit.php. The manipulation of the argument sid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7536 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically within the /pages/receipt_credit.php file. The vulnerability arises from improper sanitization of the 'sid' parameter, which can be manipulated by an attacker to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring any user interaction or privileges. The injection can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the system's data. Although the CVSS score is 6.9 (medium severity), the vulnerability's characteristics—remote exploitability without authentication and direct impact on database operations—indicate a significant threat. The exploit has been publicly disclosed, increasing the risk of exploitation. No official patches or mitigations have been linked yet, which means affected organizations must rely on immediate defensive measures. The vulnerability affects only version 1.0 of the Campcodes Sales and Inventory System, which is a niche product used for managing sales and inventory data, likely in small to medium enterprises.

Detailed information about CVE-2025-7536: SQL Injection in Campcodes Sales and Inventory System affecting Campcodes Sales and Inventory System. Get real-time up

CVE-2025-7536: SQL Injection in Campcodes Sales and Inventory System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7536: SQL Injection in Campcodes Sales and Inventory System

A vulnerability was found in Campcodes Sales and Inventory System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /pages/reprint_cash.php. The manipulation of the argument sid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7535 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically within the /pages/reprint_cash.php file. The vulnerability arises from improper sanitization of the 'sid' parameter, which is susceptible to malicious input manipulation. An attacker can exploit this flaw remotely without requiring any authentication or user interaction, by injecting crafted SQL commands through the 'sid' argument. This can lead to unauthorized access to the underlying database, allowing attackers to read, modify, or delete sensitive sales and inventory data. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently reported in the wild. The CVSS 4.0 score of 6.9 (medium severity) reflects the ease of remote exploitation and the potential for partial confidentiality, integrity, and availability impacts, albeit with limited scope and no privilege or user interaction requirements. Given the nature of sales and inventory systems, exploitation could disrupt business operations, compromise financial records, and expose sensitive commercial information.

Detailed information about CVE-2025-7535: SQL Injection in Campcodes Sales and Inventory System affecting Campcodes Sales and Inventory System. Get real-time up

CVE-2025-7535: SQL Injection in Campcodes Sales and Inventory System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7535: SQL Injection in Campcodes Sales and Inventory System

In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

Detailed information about CVE-2025-53865: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in roundup-tracker