CVE-2025-8190
BaseFortify
Publication date: 2025-07-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | courier_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8190 is a critical SQL injection vulnerability in Campcodes Courier Management System 1.0, specifically in the /print_pdets.php file. It occurs because the application improperly handles the 'ids' parameter by directly embedding it into SQL queries without validation or sanitization. This allows attackers to inject malicious SQL code remotely, potentially compromising the confidentiality, integrity, and availability of the system. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to gain unauthorized access to the database, extract sensitive information, modify or delete data, and potentially gain full control over the affected system. It can also lead to service disruptions, severely impacting system security and business continuity. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by checking for the presence of the vulnerable endpoint /print_pdets.php and testing the 'ids' parameter for SQL injection. One method is to use sqlmap to automate detection, for example: sqlmap -u "http://target/print_pdets.php?ids=1" --batch. Additionally, Google Dorking with the query "inurl:print_pdets.php" can help identify vulnerable targets. Manual testing can include injecting boolean-based, error-based, or time-based SQL payloads into the 'ids' parameter and observing responses. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Replacing the affected product with an alternative solution if possible. 2) Applying prepared statements with parameter binding to separate SQL code from user input. 3) Implementing strict input validation and filtering on the 'ids' parameter to ensure it conforms to expected formats. 4) Limiting database user permissions to the minimum necessary to reduce impact. 5) Conducting regular security audits to detect and remediate vulnerabilities promptly. [1, 2]