CVE-2025-7123 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Complaint Management System, specifically affecting the /admin/complaint-details.php file. The vulnerability arises from improper sanitization or validation of the 'cid' and 'uid' parameters, which are used in SQL queries. An attacker can manipulate these parameters remotely without authentication or user interaction to inject malicious SQL code. This can lead to unauthorized access to the backend database, potentially allowing the attacker to read, modify, or delete sensitive complaint data stored within the system. The vulnerability has been publicly disclosed, although no known exploits are currently reported in the wild. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector details show that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but this conflicts with the description; likely a data inconsistency), no user interaction (UI:N), and limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The lack of patch links suggests that a fix may not yet be available, increasing the urgency for mitigation. Given the nature of complaint management systems, which often handle sensitive personal and organizational data, exploitation could lead to data breaches, reputational damage, and regulatory non-compliance.

For European organizations using the Campcodes Complaint Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of complaint data, which may include personal data protected under GDPR. Successful exploitation could lead to unauthorized data disclosure, data tampering, or deletion, undermining trust in complaint handling processes. This could result in legal penalties, loss of customer confidence, and operational disruptions. Since complaint management systems are often integrated with other internal systems, the attack could serve as a pivot point for broader network compromise. The medium CVSS score suggests moderate ease of exploitation and impact, but the critical nature of complaint data in regulated environments elevates the practical risk. European organizations must consider the potential for regulatory scrutiny and the need for incident response readiness.

1. Immediate implementation of input validation and parameterized queries or prepared statements in the /admin/complaint-details.php script to prevent SQL injection. 2. Restrict access to the admin interface via network segmentation and IP whitelisting to limit exposure. 3. Monitor web application logs for unusual or suspicious requests targeting 'cid' and 'uid' parameters. 4. Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts. 5. Conduct a thorough code review and security assessment of the entire complaint management system to identify and remediate similar vulnerabilities. 6. If possible, upgrade to a patched version once available or apply vendor-provided mitigations. 7. Educate administrators about the risks and signs of exploitation to enhance detection and response capabilities. 8. Regularly back up complaint data and ensure backups are secure and tested for restoration to mitigate potential data loss.