Skip to main content

CVE-2025-6821: SQL Injection in code-projects Inventory Management System

Medium
VulnerabilityCVE-2025-6821cvecve-2025-6821
Published: Sat Jun 28 2025 (06/28/2025, 18:00:13 UTC)
Source: CVE Database V5
Vendor/Project: code-projects
Product: Inventory Management System

Description

A vulnerability was found in code-projects Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /php_action/createOrder.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/28/2025, 18:39:30 UTC

Technical Analysis

CVE-2025-6821 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Inventory Management System, specifically within the /php_action/createOrder.php file. This vulnerability allows an unauthenticated remote attacker to manipulate SQL queries by injecting malicious input, potentially leading to unauthorized access or modification of the underlying database. The vulnerability does not require any privileges or user interaction to exploit, making it accessible over the network without authentication. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector highlighting network attack vector, low attack complexity, no privileges required, no user interaction, and low impact on confidentiality, integrity, and availability. Although the exploit has been publicly disclosed, there are no known active exploits in the wild at this time. The vulnerability arises from insufficient input validation or sanitization in the createOrder.php script, which processes order creation requests. Successful exploitation could allow attackers to extract sensitive data, modify or delete records, or potentially escalate attacks within the affected system. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for organizations using this software to implement interim mitigations or monitor for updates.

Potential Impact

For European organizations utilizing the code-projects Inventory Management System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their inventory and order data. Exploitation could lead to unauthorized data disclosure, manipulation of inventory records, or disruption of order processing workflows, potentially causing financial losses and operational disruptions. Given that the vulnerability can be exploited remotely without authentication, attackers could leverage it to gain footholds within corporate networks, potentially leading to further lateral movement or data breaches. The medium CVSS score reflects moderate impact, but the critical classification by the vendor highlights the potential severity if exploited in sensitive environments. European companies in retail, manufacturing, or logistics sectors relying on this system may face compliance risks under GDPR if personal or sensitive data is exposed. Additionally, reputational damage and regulatory penalties could result from exploitation. The absence of known active exploits currently reduces immediate risk but does not eliminate the threat, especially as public exploit code availability may facilitate future attacks.

Mitigation Recommendations

European organizations should immediately assess their exposure to the affected Inventory Management System version 1.0 and prioritize remediation. Specific mitigation steps include: 1) Implementing strict input validation and parameterized queries in the createOrder.php script to prevent SQL injection, if source code access and modification are possible. 2) Applying web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoint. 3) Restricting network access to the Inventory Management System to trusted internal IPs or VPNs to reduce exposure to remote attacks. 4) Monitoring application logs and database queries for anomalous activity indicative of injection attempts. 5) Segregating the database with least privilege principles to limit the impact of potential exploitation. 6) Engaging with the vendor or community for patches or updates and applying them promptly once available. 7) Conducting regular security assessments and penetration testing focused on injection vulnerabilities. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and practical network-level controls to reduce attack surface.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-27T16:58:46.970Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6860335d6f40f0eb727184fe

Added to database: 6/28/2025, 6:24:29 PM

Last enriched: 6/28/2025, 6:39:30 PM

Last updated: 7/13/2025, 5:19:50 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats