Skip to main content

CVE-2025-7474: SQL Injection in code-projects Job Diary

Medium
VulnerabilityCVE-2025-7474cvecve-2025-7474
Published: Sat Jul 12 2025 (07/12/2025, 12:02:05 UTC)
Source: CVE Database V5
Vendor/Project: code-projects
Product: Job Diary

Description

A vulnerability was found in code-projects Job Diary 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /search.php. The manipulation of the argument Search leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/19/2025, 20:53:08 UTC

Technical Analysis

CVE-2025-7474 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Job Diary application. The vulnerability exists in the /search.php file, specifically in the handling of the 'Search' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the backend database executes. This flaw allows remote attackers to exploit the vulnerability without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:N). The injection can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the underlying database. Although the CVSS score is 6.9 (medium severity), the description rates it as critical, reflecting the high risk posed by SQL injection vulnerabilities in general. No patches or fixes have been linked yet, and no known exploits are currently observed in the wild. The vulnerability disclosure is recent (published July 12, 2025), and the affected functionality is unknown beyond the /search.php endpoint, which likely handles user search queries within the Job Diary application. The lack of authentication requirements and the remote exploitability make this vulnerability particularly dangerous, as attackers can leverage it to extract sensitive information or disrupt services without needing valid credentials or user interaction.

Potential Impact

For European organizations using the code-projects Job Diary 1.0 application, this vulnerability poses a significant risk. The SQL injection can lead to unauthorized access to sensitive business data, including potentially personal data protected under GDPR regulations. Exploitation could result in data breaches, leading to regulatory fines, reputational damage, and operational disruptions. Since the vulnerability allows remote exploitation without authentication, attackers could automate attacks at scale, increasing the likelihood of compromise. Organizations relying on Job Diary for managing employee or project information may face data integrity issues or service outages if attackers manipulate or delete database records. Additionally, if the compromised data includes personal or financial information, the impact extends to legal liabilities and customer trust erosion. The medium CVSS score may underestimate the real-world impact, given the critical nature of SQL injection flaws and the absence of mitigating controls mentioned in the report.

Mitigation Recommendations

Immediate mitigation steps include implementing input validation and parameterized queries or prepared statements in the /search.php endpoint to prevent SQL injection. Organizations should audit their Job Diary 1.0 installations and restrict access to the application from untrusted networks until a patch is available. Web application firewalls (WAFs) can be configured with custom rules to detect and block SQL injection patterns targeting the 'Search' parameter. Monitoring and logging of database queries and application logs should be enhanced to detect suspicious activities. Since no official patch is currently linked, organizations should contact the vendor for updates or consider upgrading to a newer, unaffected version if available. Additionally, isolating the affected application environment and performing regular backups will help in recovery if exploitation occurs. Security teams should also conduct penetration testing focused on injection flaws to identify any other vulnerable inputs.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-07-11T12:39:52.416Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68725207a83201eaacb45cd2

Added to database: 7/12/2025, 12:16:07 PM

Last enriched: 7/19/2025, 8:53:08 PM

Last updated: 8/21/2025, 5:10:08 AM

Views: 36

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats