CVE-2025-14247
BaseFortify
Publication date: 2025-12-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | simple_shopping_cart | 1.0 |
| fabian | simple_shopping_cart | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14247 is a critical SQL injection vulnerability in code-projects Simple Shopping Cart version 1.0, specifically in the /Admin/additems.php file. The vulnerability occurs due to improper handling and inadequate validation of the 'item_name' parameter, which allows attackers to inject malicious SQL code. This flaw enables unauthorized database access, data leakage, data tampering, and potentially full system control. The attack can be executed remotely without authentication, and proof-of-concept exploits are publicly available. Attackers can also upload malicious files via the 'item_image' parameter to escalate the attack. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to remotely execute SQL injection attacks that compromise the confidentiality, integrity, and availability of your system. Attackers can access, modify, or delete sensitive data, disrupt services, and potentially gain full control over the affected system. Additionally, the ability to upload malicious files like web shells can lead to further system compromise and persistent access. Exploitation requires no authentication and is relatively easy, increasing the risk of attack. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /Admin/additems.php endpoint for SQL injection via the item_name parameter. You can use tools like sqlmap to automate detection. Example commands include: 1) Using sqlmap: sqlmap -u "http://target/Admin/additems.php" --data="item_name=1111" --method=POST -p item_name 2) Manual testing with curl for boolean-based injection: curl -X POST -d "item_name=1111' OR NOT 3033=3033 #" http://target/Admin/additems.php 3) Manual testing with curl for time-based injection: curl -X POST -d "item_name=1111' AND (SELECT SLEEP(5)) #" http://target/Admin/additems.php Additionally, Google dorking can help identify vulnerable targets using queries like inurl:Admin/additems.php. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Replace the affected Simple Shopping Cart 1.0 component with a secure alternative if possible. 2) Implement prepared statements with parameter binding to prevent SQL injection. 3) Apply strict input validation and sanitization on the item_name parameter to ensure only expected input is accepted. 4) Minimize database user privileges, avoiding use of high-privilege accounts for routine operations. 5) Conduct regular security audits to detect and fix vulnerabilities promptly. Since no known countermeasures exist, these steps are critical to reduce risk. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized database access, data leakage, and data tampering, it could potentially lead to violations of data protection requirements under such regulations if sensitive personal or health data is compromised. No direct statements or analyses regarding compliance impact are available in the provided resources. [1, 2, 3]