CVE-2025-6903 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Car Rental System, specifically within the /admin/approve.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is susceptible to malicious input manipulation. An attacker can remotely exploit this flaw without any authentication or user interaction, by injecting crafted SQL commands through the 'ID' argument. This can lead to unauthorized access to the backend database, allowing the attacker to read, modify, or delete sensitive data, potentially compromising the confidentiality, integrity, and availability of the system. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. The CVSS 4.0 base score is 6.9, indicating a medium severity level, reflecting the ease of remote exploitation without privileges but limited scope of impact due to the specific affected functionality and lack of known active exploitation. However, the critical nature of SQL Injection vulnerabilities generally warrants urgent attention due to their potential to cause severe damage if exploited effectively.

For European organizations using the code-projects Car Rental System version 1.0, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized data access, including customer personal information, booking details, and administrative data, which may result in data breaches violating GDPR regulations. The integrity of rental records could be compromised, leading to fraudulent transactions or operational disruptions. Availability could also be affected if attackers execute destructive SQL commands, causing service outages. The reputational damage and potential regulatory penalties for mishandling personal data could be substantial. Additionally, given the remote and unauthenticated nature of the exploit, attackers can target these systems at scale, increasing the risk for organizations with internet-facing administrative interfaces.

Organizations should immediately audit their deployments of the code-projects Car Rental System version 1.0 and restrict or disable access to the /admin/approve.php endpoint until a patch or update is available. Implementing a Web Application Firewall (WAF) with rules to detect and block SQL injection patterns targeting the 'ID' parameter can provide interim protection. Input validation and parameterized queries or prepared statements should be enforced in the application code to eliminate injection vectors. Network segmentation and limiting administrative interface exposure to trusted IP addresses can reduce attack surface. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities. Monitoring logs for suspicious database queries or unusual access patterns is recommended to detect potential exploitation attempts early. If possible, upgrade to a newer, patched version of the software once released by the vendor.