Skip to main content

CVE-2025-7476: SQL Injection in code-projects Simple Car Rental System

Medium
VulnerabilityCVE-2025-7476cvecve-2025-7476
Published: Sat Jul 12 2025 (07/12/2025, 13:32:04 UTC)
Source: CVE Database V5
Vendor/Project: code-projects
Product: Simple Car Rental System

Description

A vulnerability classified as critical was found in code-projects Simple Car Rental System 1.0. This vulnerability affects unknown code of the file /admin/approve.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/12/2025, 14:01:04 UTC

Technical Analysis

CVE-2025-7476 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Car Rental System, specifically within the /admin/approve.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector details show that the attack complexity is low, no privileges or user interaction are required, and the impact on confidentiality, integrity, and availability is low to limited. No patches or fixes have been published yet, and no known exploits are currently observed in the wild. However, the public disclosure of the vulnerability and its exploit details increases the risk of exploitation by threat actors. The affected product is a niche web application used for managing car rental operations, which likely stores sensitive customer and transactional data in its database. Exploitation could lead to unauthorized data access, data manipulation, or disruption of service.

Potential Impact

For European organizations using the Simple Car Rental System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and operational data. Attackers exploiting this SQL Injection could extract sensitive personal information, including customer identities, rental histories, and payment details, potentially violating GDPR requirements. Data manipulation could also lead to fraudulent transactions or operational disruptions, impacting business continuity and customer trust. Since the vulnerability is remotely exploitable without authentication, attackers could target exposed administrative endpoints directly. Although the product is specialized, small to medium-sized car rental companies or local agencies in Europe that rely on this system are particularly vulnerable. The lack of a patch increases the urgency for mitigation. Additionally, reputational damage and regulatory penalties could arise from data breaches stemming from this vulnerability.

Mitigation Recommendations

Organizations should immediately restrict access to the /admin/approve.php endpoint by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. Web application firewalls (WAFs) should be configured with rules to detect and block SQL Injection attempts targeting the 'ID' parameter. Input validation and parameterized queries should be implemented in the application code to prevent injection, though this requires vendor action or custom patching. Until an official patch is released, consider isolating the affected system from public networks or replacing it with alternative solutions. Regular monitoring of logs for suspicious SQL errors or unusual database queries can help detect exploitation attempts early. Additionally, organizations should review and audit database permissions to minimize the impact of a potential breach and ensure backups are current and secure to enable recovery if data integrity is compromised.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-07-11T12:42:02.833Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6872671fa83201eaacb4a115

Added to database: 7/12/2025, 1:46:07 PM

Last enriched: 7/12/2025, 2:01:04 PM

Last updated: 7/12/2025, 2:01:04 PM

Views: 2

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats