CVE-2025-6777: SQL Injection in code-projects Food Distributor Site
A vulnerability, which was classified as critical, has been found in code-projects Food Distributor Site 1.0. This issue affects some unknown processing of the file /admin/process_login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-6777 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Food Distributor Site, specifically within the /admin/process_login.php file. The vulnerability arises from improper handling of the username and password parameters, allowing an attacker to inject malicious SQL code. This injection can be performed remotely without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, potentially allowing attackers to bypass authentication, extract sensitive data, modify or delete records, or even execute administrative commands on the database server. Although the CVSS score is 6.9 (medium severity), the vulnerability's characteristics—remote exploitability, no authentication required, and direct impact on login processing—make it a significant threat. No patches or mitigations have been publicly disclosed yet, and no known exploits are currently reported in the wild, but the public disclosure of the exploit details increases the risk of exploitation by attackers. The vulnerability affects only version 1.0 of the Food Distributor Site product, which is a web application used for managing food distribution operations. The lack of secure coding practices in input validation and parameterized queries in the login processing module is the root cause of this issue.
Potential Impact
For European organizations using the code-projects Food Distributor Site 1.0, this vulnerability poses a substantial risk. Exploitation can lead to unauthorized access to administrative functions, exposure of sensitive business and customer data, and potential disruption of food distribution operations. This can result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for protecting personal data. The ability to remotely exploit the vulnerability without authentication increases the attack surface, making it easier for threat actors to target organizations. If attackers gain control over the database, they could manipulate orders, inventory, or customer information, severely impacting supply chain integrity. Additionally, the disruption of critical food distribution services could have broader economic and social consequences. Given the critical nature of food supply chains, organizations in this sector must prioritize addressing this vulnerability to maintain operational continuity and data security.
Mitigation Recommendations
1. Immediate application of patches or updates from the vendor once available is essential. Since no patch links are currently provided, organizations should contact the vendor for guidance or consider upgrading to a newer, secure version if available. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the /admin/process_login.php endpoint, focusing on the username and password parameters. 3. Conduct a thorough code review and refactor the login processing code to use parameterized queries or prepared statements to prevent SQL injection. 4. Restrict access to the /admin directory by IP whitelisting or VPN-only access to reduce exposure. 5. Monitor logs for suspicious login attempts or unusual database queries that may indicate exploitation attempts. 6. Employ database-level protections such as least privilege principles for the database user accounts used by the application, limiting the potential damage of a successful injection. 7. Educate development and security teams on secure coding practices and conduct regular security assessments to identify similar vulnerabilities proactively.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
CVE-2025-6777: SQL Injection in code-projects Food Distributor Site
Description
A vulnerability, which was classified as critical, has been found in code-projects Food Distributor Site 1.0. This issue affects some unknown processing of the file /admin/process_login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-6777 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Food Distributor Site, specifically within the /admin/process_login.php file. The vulnerability arises from improper handling of the username and password parameters, allowing an attacker to inject malicious SQL code. This injection can be performed remotely without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, potentially allowing attackers to bypass authentication, extract sensitive data, modify or delete records, or even execute administrative commands on the database server. Although the CVSS score is 6.9 (medium severity), the vulnerability's characteristics—remote exploitability, no authentication required, and direct impact on login processing—make it a significant threat. No patches or mitigations have been publicly disclosed yet, and no known exploits are currently reported in the wild, but the public disclosure of the exploit details increases the risk of exploitation by attackers. The vulnerability affects only version 1.0 of the Food Distributor Site product, which is a web application used for managing food distribution operations. The lack of secure coding practices in input validation and parameterized queries in the login processing module is the root cause of this issue.
Potential Impact
For European organizations using the code-projects Food Distributor Site 1.0, this vulnerability poses a substantial risk. Exploitation can lead to unauthorized access to administrative functions, exposure of sensitive business and customer data, and potential disruption of food distribution operations. This can result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for protecting personal data. The ability to remotely exploit the vulnerability without authentication increases the attack surface, making it easier for threat actors to target organizations. If attackers gain control over the database, they could manipulate orders, inventory, or customer information, severely impacting supply chain integrity. Additionally, the disruption of critical food distribution services could have broader economic and social consequences. Given the critical nature of food supply chains, organizations in this sector must prioritize addressing this vulnerability to maintain operational continuity and data security.
Mitigation Recommendations
1. Immediate application of patches or updates from the vendor once available is essential. Since no patch links are currently provided, organizations should contact the vendor for guidance or consider upgrading to a newer, secure version if available. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the /admin/process_login.php endpoint, focusing on the username and password parameters. 3. Conduct a thorough code review and refactor the login processing code to use parameterized queries or prepared statements to prevent SQL injection. 4. Restrict access to the /admin directory by IP whitelisting or VPN-only access to reduce exposure. 5. Monitor logs for suspicious login attempts or unusual database queries that may indicate exploitation attempts. 6. Employ database-level protections such as least privilege principles for the database user accounts used by the application, limiting the potential damage of a successful injection. 7. Educate development and security teams on secure coding practices and conduct regular security assessments to identify similar vulnerabilities proactively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-27T11:18:14.598Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 685f01806f40f0eb7266be79
Added to database: 6/27/2025, 8:39:28 PM
Last enriched: 6/27/2025, 8:54:46 PM
Last updated: 7/16/2025, 4:25:24 AM
Views: 19
Related Threats
CVE-2025-7431: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ajay Knowledge Base
MediumCVE-2025-7767: Cross Site Scripting in PHPGurukul Art Gallery Management System
MediumCVE-2025-7765: SQL Injection in code-projects Online Appointment Booking System
MediumCVE-2025-7764: SQL Injection in code-projects Online Appointment Booking System
MediumCVE-2025-7763: Open Redirect in thinkgem JeeSite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.