CVE-2025-10857
BaseFortify
Publication date: 2025-09-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | point_of_sale_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10857 is an SQL Injection vulnerability in the Campcodes Point of Sale System POS version 1.0, specifically in the /login.php file. The vulnerability occurs because the username parameter is not properly sanitized, allowing attackers to inject malicious SQL code. This can enable unauthorized access or manipulation of the database remotely without authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary SQL commands on the database, potentially compromising the confidentiality, integrity, and availability of the system. Attackers could gain unauthorized access, manipulate or steal sensitive data, disrupt operations, or take control of the system. The exploit is easy to carry out and publicly available, increasing the risk of exploitation. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /login.php endpoint for SQL injection on the username parameter. One approach is to use SQL injection testing tools or manual injection attempts with payloads such as "' OR '1'='1" in the username field to observe if the system behaves unexpectedly or returns database errors. Additionally, Google dorking with queries like "inurl:login.php" can help identify potentially vulnerable targets. Network monitoring for unusual SQL query patterns or unexpected database errors in logs may also indicate exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected Campcodes Point of Sale System POS 1.0 with an alternative solution, as no known countermeasures or patches are available. Restricting access to the /login.php endpoint via network controls or web application firewalls may reduce exposure. Monitoring for exploitation attempts and applying input validation or parameterized queries if possible can help, but the recommended action is to discontinue use of the vulnerable product. [2]