CVE-2025-5079
SQL injection vulnerability in Campcodes Online Shopping Portal 1.0
Overview
A critical vulnerability has been identified in Campcodes Online Shopping Portal 1.0. This vulnerability allows for SQL injection via the file '/admin/updateorder.php'. The issue is executable remotely, increasing its risk profile.
Technical Details
The vulnerability resides in some unknown processing of the file '/admin/updateorder.php' in Campcodes Online Shopping Portal 1.0. This flaw is due to the incorrect handling of the 'remark' argument, leading to SQLi.
CVSS Metrics
- Version: 3.1
- Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- User Interaction: NONE
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: LOW
Impact
The attacker can compromise user data confidentiality, data integrity, and the availability of the system by exploiting this vulnerability.
Recommendations
Regularly update your software, use a web application firewall, sanitize inputs, use prepared statements with variable binding (also known as parameterized queries) in SQL statements.
Threat Metrics
- "cvss_score": 7.3
- "severity": "MEDIUM"
- "attack_vector": "NETWORK"
- "attack_complexity": "LOW"