CVE-2025-10808
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | farm_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10808 is a critical SQL injection vulnerability in Campcodes Farm Management System version 1.0, specifically in the /uploadProduct.php file. The vulnerability occurs because the 'type' parameter is improperly handled and directly incorporated into an SQL query without proper sanitization or validation. This allows an attacker to inject malicious SQL code remotely without authentication, potentially manipulating the database by extracting, altering, or deleting data. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to remotely exploit the system without authentication to gain unauthorized access to the database. They can extract sensitive information, modify or delete data, disrupt services, and potentially take full control of the system. This threatens the confidentiality, integrity, and availability of your system and business operations. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /uploadProduct.php endpoint for SQL injection via the 'type' parameter. A common approach is to send crafted SQL injection payloads in POST requests to observe if the system is vulnerable. For example, using curl to send a payload that attempts to extract database information: curl -X POST -d "type=1' AND updatexml(1,concat(0x7e,(select database()),0x7e),1) AND 'a'='a" http://<target>/AgroCulture/uploadProduct.php. Additionally, attackers may use Google dorking with queries like inurl:uploadProduct.php to identify vulnerable targets. Monitoring network traffic for suspicious POST requests to /uploadProduct.php with unusual 'type' parameter values can also help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Replace the affected product with a secure alternative if possible, as no official patches are documented. 2) Implement prepared statements with parameter binding in the code to prevent SQL injection. 3) Apply strict input validation and filtering on the 'type' parameter to ensure only expected values are accepted. 4) Limit database user permissions to the minimum necessary, avoiding use of high-privilege accounts for routine operations. 5) Conduct security audits and code reviews to identify and fix similar vulnerabilities. Until a fix is applied, consider restricting access to the vulnerable endpoint or deploying web application firewalls to block malicious payloads. [1, 2]