CVE-2025-7168 – This critical SQL injection vulnerability in th... (How to Fix)

Q: What is the severity of CVE-2025-7168?

CVE-2025-7168 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in the Crime Reporting System 1.0 allows attackers to execute arbitrary SQL commands via the email parameter in userlogin.php. Remote attackers can potentially access, modify, or delete database content. All systems running the vulnerable version are affected.

📋 TL;DR

This critical SQL injection vulnerability in the Crime Reporting System 1.0 allows attackers to execute arbitrary SQL commands via the email parameter in userlogin.php. Remote attackers can potentially access, modify, or delete database content. All systems running the vulnerable version are affected.

💻 Affected Systems

Products:

code-projects Crime Reporting System

Versions: 1.0

Operating Systems: Any OS running PHP with database backend

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the default installation. Requires PHP and database backend (likely MySQL/MariaDB).

📦 What is this software?

Crime Reporting System by Code Projects

View all CVEs affecting Crime Reporting System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, credential theft, and potential privilege escalation leading to system compromise.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via userlogin.php which is typically internet-facing for web applications.

🏢 Internal Only: MEDIUM - Internal systems could still be targeted via internal network access or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available. SQL injection via email parameter requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or prepared statements to userlogin.php to prevent SQL injection.

Edit userlogin.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE email = ?'); $stmt->bind_param('s', $email);

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the email parameter.

Configure WAF to block SQL injection patterns: modsecurity rules for SQLi detection

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement network segmentation and restrict database access to minimum required sources

🔍 How to Verify

Check if Vulnerable:

Test the email parameter in /userlogin.php with SQL injection payloads like ' OR '1'='1

Check Version:

Check application version in source code or configuration files; look for version 1.0 references.

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes; successful queries should fail or return expected results only.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts with SQL patterns in email field
HTTP requests to userlogin.php with SQL keywords

Network Indicators:

HTTP POST requests to /userlogin.php containing SQL injection patterns
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri_path="/userlogin.php" AND (email="*OR*" OR email="*UNION*" OR email="*SELECT*" OR email="*--*")

📊 Metadata

CVE ID: CVE-2025-7168

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (12.4th percentile)

Published: July 8, 2025

Last Updated: July 9, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/yihaofuweng/cve/issues/9 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.315107 Permissions Required
https://vuldb.com/?id.315107 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.606593 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7168, you might also want to check these: