CVE-2025-6901: SQL Injection in code-projects Inventory Management System
A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /php_action/removeUser.php. The manipulation of the argument userid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-6901 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Inventory Management System. The vulnerability resides in the /php_action/removeUser.php file, specifically in the processing of the 'userid' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the backend database executes. This flaw allows an unauthenticated remote attacker to perform unauthorized database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability does not require any authentication or user interaction, making it highly exploitable. The CVSS 4.0 score is 6.9 (medium severity), reflecting the ease of exploitation (network attack vector, low attack complexity) but limited impact on confidentiality, integrity, and availability (low to limited impact). The vulnerability has been publicly disclosed, but there are no known exploits in the wild yet. The absence of patches or mitigation links indicates that the vendor has not yet released an official fix. Given the nature of inventory management systems, which often store sensitive business and operational data, exploitation could disrupt business processes and expose confidential information.
Potential Impact
For European organizations using the affected Inventory Management System version 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive inventory and user data, potentially causing data breaches that violate GDPR regulations. The integrity of inventory records could be compromised, leading to operational disruptions, financial losses, and reputational damage. Since the vulnerability allows remote exploitation without authentication, attackers could leverage it to gain footholds within corporate networks, potentially escalating privileges or pivoting to other systems. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as public disclosure increases attacker awareness. Organizations in sectors with stringent data protection requirements or critical supply chain dependencies are particularly vulnerable to the operational and compliance impacts of this flaw.
Mitigation Recommendations
European organizations should immediately audit their use of the code-projects Inventory Management System to identify installations of version 1.0. Until an official patch is released, organizations should implement the following specific mitigations: 1) Apply Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'userid' parameter in /php_action/removeUser.php. 2) Restrict network access to the Inventory Management System to trusted internal IP ranges and VPNs to reduce exposure. 3) Conduct code reviews and implement parameterized queries or prepared statements in the affected PHP script to eliminate SQL injection vectors. 4) Monitor logs for suspicious database query patterns or repeated failed attempts to manipulate 'userid'. 5) Engage with the vendor for timely patch releases and apply updates as soon as they become available. 6) Consider temporary disabling or restricting the removeUser functionality if feasible to prevent exploitation. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and attack vector.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2025-6901: SQL Injection in code-projects Inventory Management System
Description
A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /php_action/removeUser.php. The manipulation of the argument userid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-6901 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Inventory Management System. The vulnerability resides in the /php_action/removeUser.php file, specifically in the processing of the 'userid' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the backend database executes. This flaw allows an unauthenticated remote attacker to perform unauthorized database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability does not require any authentication or user interaction, making it highly exploitable. The CVSS 4.0 score is 6.9 (medium severity), reflecting the ease of exploitation (network attack vector, low attack complexity) but limited impact on confidentiality, integrity, and availability (low to limited impact). The vulnerability has been publicly disclosed, but there are no known exploits in the wild yet. The absence of patches or mitigation links indicates that the vendor has not yet released an official fix. Given the nature of inventory management systems, which often store sensitive business and operational data, exploitation could disrupt business processes and expose confidential information.
Potential Impact
For European organizations using the affected Inventory Management System version 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive inventory and user data, potentially causing data breaches that violate GDPR regulations. The integrity of inventory records could be compromised, leading to operational disruptions, financial losses, and reputational damage. Since the vulnerability allows remote exploitation without authentication, attackers could leverage it to gain footholds within corporate networks, potentially escalating privileges or pivoting to other systems. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as public disclosure increases attacker awareness. Organizations in sectors with stringent data protection requirements or critical supply chain dependencies are particularly vulnerable to the operational and compliance impacts of this flaw.
Mitigation Recommendations
European organizations should immediately audit their use of the code-projects Inventory Management System to identify installations of version 1.0. Until an official patch is released, organizations should implement the following specific mitigations: 1) Apply Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'userid' parameter in /php_action/removeUser.php. 2) Restrict network access to the Inventory Management System to trusted internal IP ranges and VPNs to reduce exposure. 3) Conduct code reviews and implement parameterized queries or prepared statements in the affected PHP script to eliminate SQL injection vectors. 4) Monitor logs for suspicious database query patterns or repeated failed attempts to manipulate 'userid'. 5) Engage with the vendor for timely patch releases and apply updates as soon as they become available. 6) Consider temporary disabling or restricting the removeUser functionality if feasible to prevent exploitation. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and attack vector.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-29T11:59:52.779Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68625b4c6f40f0eb728a27ef
Added to database: 6/30/2025, 9:39:24 AM
Last enriched: 6/30/2025, 9:54:55 AM
Last updated: 7/14/2025, 9:15:10 PM
Views: 12
Related Threats
CVE-2025-53946: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalCVE-2025-53941: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in fedify-dev hollo
MediumCVE-2025-53927: CWE-94: Improper Control of Generation of Code ('Code Injection') in 1Panel-dev MaxKB
MediumCVE-2025-53909: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine in mailcow mailcow-dockerized
CriticalCVE-2025-51630: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.