Overview
CVE-2025-13396 is a medium-severity SQL injection vulnerability identified in code-projects Courier Management System version 1.0. This vulnerability allows a remote attacker to inject malicious SQL code through the OfficeName parameter in the /add-office.php file. Successful exploitation could lead to unauthorized data access, modification, or deletion within the application’s database.
This vulnerability was published on 2025-11-19 and has a CVSS score of 6.3, indicating a moderate level of risk. The exploit is publicly available, increasing the likelihood of exploitation.
Technical Details
The vulnerability stems from improper sanitization of user-supplied input within the /add-office.php script. Specifically, the OfficeName parameter, intended to store the name of a new office, is not properly validated before being used in a SQL query. An attacker can inject SQL code into this parameter, allowing them to manipulate the query executed against the database.
The vulnerable code resides in the add-office.php file, specifically where the OfficeName value is used in the SQL query without proper escaping or parameterization. The lack of proper input validation opens the door for attackers to inject arbitrary SQL commands.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns a score of 6.3 (Medium) to CVE-2025-13396. The CVSS vector typically breaks down as follows (actual vector may vary slightly depending on the CVSS calculator used):
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality Impact: Low (C:L)
- Integrity Impact: Low (I:L)
- Availability Impact: Low (A:L)
This score reflects the ease of exploitation (Network attack vector, low complexity) and the potential impact on confidentiality, integrity, and availability. While the impact is considered low for each category, the overall score warrants immediate attention.
Possible Impact
Successful exploitation of CVE-2025-13396 could have the following consequences:
- Data Breach: An attacker could extract sensitive information from the Courier Management System database, including customer details, shipment information, and employee credentials.
- Data Manipulation: The attacker could modify existing data, leading to incorrect shipment information, fraudulent transactions, or denial of service.
- Account Takeover: By injecting SQL code, an attacker might be able to bypass authentication mechanisms or steal user credentials, gaining unauthorized access to administrator accounts.
- System Compromise: In some cases, depending on the database configuration and permissions, an attacker could potentially execute operating system commands, leading to complete system compromise.
Mitigation or Patch Steps
To mitigate the risk posed by CVE-2025-13396, the following steps are recommended:
- Apply the Patch (If Available): Check code-projects.org for an updated version of Courier Management System 1.0 that addresses this vulnerability. If a patch is available, apply it immediately.
- Input Validation and Sanitization: Implement robust input validation and sanitization techniques for all user-supplied data, especially the
OfficeNameparameter in/add-office.php. Use parameterized queries or prepared statements to prevent SQL injection. - Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to detect and block malicious SQL injection attempts. Configure the WAF with rules specifically designed to protect against SQL injection vulnerabilities.
- Database Permissions: Review and restrict database user permissions to the minimum required for the application to function correctly. Avoid granting excessive privileges to the database user used by the Courier Management System.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in the application.
