CVE-2025-8165 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Food Review System, specifically within the /admin/approve_reservation.php script. The vulnerability arises from improper handling of the 'occasion' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring user interaction or elevated privileges. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting its moderate impact and ease of exploitation. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is limited (VC:L, VI:L, VA:L), indicating partial compromise potential. The vulnerability does not affect system confidentiality, integrity, or availability to a critical extent but could allow attackers to read or modify some data within the database, potentially leading to unauthorized data disclosure or manipulation. No patches or fixes have been publicly disclosed yet, and no known exploits are currently observed in the wild. However, the public disclosure of the vulnerability and its exploitability make it a risk for organizations using this software. The Food Review System is typically used by restaurants or food service providers to manage reservations and reviews, and the affected component is part of the administrative interface, which may be accessible internally or remotely depending on deployment. The vulnerability's exploitation could lead to unauthorized access to reservation data or manipulation of booking approvals, impacting business operations and customer trust.

For European organizations using the code-projects Food Review System 1.0, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access or modification of reservation data, potentially resulting in data breaches involving customer information or disruption of reservation workflows. This could damage the reputation of affected businesses, lead to regulatory non-compliance under GDPR due to exposure of personal data, and cause operational disruptions. Since the vulnerability allows remote exploitation without user interaction, attackers could automate attacks to extract sensitive data or alter reservation statuses, leading to financial loss or customer dissatisfaction. The impact is particularly relevant for hospitality and food service sectors in Europe, where customer data protection is strictly regulated. Although the vulnerability is medium severity, the lack of available patches increases the urgency for organizations to implement compensating controls to mitigate risk until a fix is released.

1. Restrict access to the /admin/approve_reservation.php endpoint by implementing network-level controls such as IP whitelisting or VPN access to limit exposure to trusted administrators only. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'occasion' parameter. 3. Conduct immediate code review and implement input validation and parameterized queries or prepared statements for all database interactions involving user-supplied data, especially the 'occasion' parameter. 4. Monitor logs for unusual database errors or suspicious requests targeting the vulnerable endpoint to detect potential exploitation attempts. 5. If possible, isolate the Food Review System in a segmented network zone to minimize lateral movement in case of compromise. 6. Engage with the vendor or community to obtain or develop patches and apply them promptly once available. 7. Educate administrative users about the risk and encourage strong authentication mechanisms to reduce the risk of unauthorized access. 8. Regularly backup database contents to enable recovery in case of data manipulation or loss.