Login Sign Up

CVE-2025-4815

7.3 HIGH
SQL Injection

📋 TL;DR

Campcodes Sales and Inventory System 1.0 contains a critical SQL injection vulnerability in the supplier_update.php file that allows remote attackers to execute arbitrary SQL commands by manipulating the Name parameter. This affects all installations of version 1.0 that expose the vulnerable endpoint. Attackers can potentially access, modify, or delete database contents.

💻 Affected Systems

Products:
  • Campcodes Sales and Inventory System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with the vulnerable file accessible are affected; no special configuration required

📦 What is this software?

Sales And Inventory System by Campcodes

View all CVEs affecting Sales And Inventory System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized data access and modification of supplier records, potential privilege escalation, and database integrity compromise

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking SQL injection patterns

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details publicly available on GitHub; simple SQL injection requiring minimal technical skill

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries and input validation to supplier_update.php

Modify /pages/supplier_update.php to use prepared statements with bound parameters

Web Application Firewall Rules

all

Block SQL injection patterns targeting the vulnerable endpoint

Add WAF rule: deny requests to /pages/supplier_update.php containing SQL keywords in Name parameter

🧯 If You Can't Patch

  • Restrict network access to the application using firewall rules to only trusted IP addresses
  • Implement database-level controls: use least privilege database accounts, enable audit logging

🔍 How to Verify

Check if Vulnerable:

Test the /pages/supplier_update.php endpoint with SQL injection payloads in the Name parameter

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that parameterized queries are implemented

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from web server process
  • Multiple failed login attempts or SQL errors in application logs

Network Indicators:

  • HTTP requests to /pages/supplier_update.php containing SQL keywords (UNION, SELECT, INSERT, etc.)

SIEM Query:

source="web_logs" AND uri="/pages/supplier_update.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*")

📊 Metadata

CVE ID: CVE-2025-4815
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.07% exploit probability (20.5th percentile)
Published: May 17, 2025
Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4815, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)