CVE-2025-3330 – This critical SQL injection vulnerability in co... (How to Fix)

Q: What is the severity of CVE-2025-3330?

CVE-2025-3330 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in codeprojects Online Restaurant Management System 1.0 allows attackers to execute arbitrary SQL commands through the 'first' parameter in /reservation_save.php. Remote attackers can potentially access, modify, or delete database content. All users running version 1.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in codeprojects Online Restaurant Management System 1.0 allows attackers to execute arbitrary SQL commands through the 'first' parameter in /reservation_save.php. Remote attackers can potentially access, modify, or delete database content. All users running version 1.0 are affected.

💻 Affected Systems

Products:

codeprojects Online Restaurant Management System

Versions: 1.0

Operating Systems: All platforms running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the default installation. The vulnerability is in the reservation_save.php file which handles reservation submissions.

📦 What is this software?

Online Restaurant Management System by Code Projects

View all CVEs affecting Online Restaurant Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration of customer information, reservation data, and potential administrative credential theft leading to system takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects a web-facing component with public exploit available.

🏢 Internal Only: MEDIUM - Internal systems could still be compromised through internal attackers or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries as workaround.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for all parameters in reservation_save.php

Modify reservation_save.php to validate and sanitize all user inputs before database operations

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords and special characters in parameters

🧯 If You Can't Patch

Block external access to /reservation_save.php via firewall rules
Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test the reservation_save.php endpoint with SQL injection payloads in the 'first' parameter

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple failed reservation attempts with SQL keywords

Network Indicators:

HTTP POST requests to /reservation_save.php containing SQL keywords like UNION, SELECT, INSERT

SIEM Query:

source="web_logs" AND uri="/reservation_save.php" AND (payload CONTAINS "UNION" OR payload CONTAINS "SELECT" OR payload CONTAINS "--")

📊 Metadata

CVE ID: CVE-2025-3330

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.22% exploit probability (44.7th percentile)

Published: April 7, 2025

Last Updated: April 7, 2025

🔗 References

https://github.com/p1026/CVE/issues/44 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.303544 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.303544 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.551904 Third Party Advisory,VDB Entry
https://github.com/p1026/CVE/issues/44 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3330, you might also want to check these: