Skip to main content
CVE Vulnerability Database

CVE-2025-8165: Carmelo Food Ordering Review System SQLi

CVE-2025-8165 is a critical SQL injection flaw in Carmelo Food Ordering Review System affecting the approve_reservation.php file. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-8165 Overview

CVE-2025-8165 is a SQL injection vulnerability in code-projects Food Ordering Review System 1.0, developed by Carmelo. The flaw resides in the /admin/approve_reservation.php endpoint, where the occasion parameter is passed directly into a SQL query without proper sanitization. An authenticated remote attacker with low privileges can inject arbitrary SQL statements to manipulate backend database operations. The exploit details have been disclosed publicly, increasing the likelihood of opportunistic attacks against exposed installations. The weakness is categorized under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Authenticated attackers can inject SQL through the occasion parameter in approve_reservation.php, enabling unauthorized read or modification of reservation and user data.

Affected Products

  • Carmelo Food Ordering Review System 1.0
  • Component: /admin/approve_reservation.php
  • CPE: cpe:2.3:a:carmelo:food_ordering_review_system:1.0

Discovery Timeline

  • 2025-07-25 - CVE-2025-8165 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-8165

Vulnerability Analysis

The vulnerability exists in the administrative reservation approval workflow of the Food Ordering Review System. The PHP file approve_reservation.php accepts the occasion HTTP parameter and concatenates it into a SQL statement without parameterized queries or input filtering. This allows an attacker to break out of the intended query context and inject additional SQL syntax.

Because the endpoint resides under /admin/, the attacker requires authenticated access to the administrative interface. However, weak default credentials or chained authentication flaws in similar code-projects applications often lower this barrier. Once exploited, an attacker can extract sensitive reservation records, enumerate user accounts, or modify database contents.

The vulnerability requires no user interaction and can be triggered remotely over the network. Public disclosure of the exploit on VulDB (entry #317579) and a supporting technical writeup in a GitHub CVE SQL Documentation repository increase the risk of automated scanning and exploitation.

Root Cause

The root cause is the unsafe concatenation of the occasion request parameter into a SQL query string. The application does not use prepared statements, parameter binding, or input validation routines such as mysqli_real_escape_string or PDO bindings. This classifies the defect under [CWE-74] and more specifically as SQL Injection.

Attack Vector

An attacker submits a crafted HTTP request to /admin/approve_reservation.php with a malicious occasion value containing SQL metacharacters. The injected payload executes within the context of the database user assigned to the application, typically allowing SELECT, UPDATE, or DELETE operations against the reservation tables.

No verified proof-of-concept code is available in the NVD references beyond the VulDB submission. Refer to the VulDB #317579 entry for technical context.

Detection Methods for CVE-2025-8165

Indicators of Compromise

  • HTTP requests to /admin/approve_reservation.php containing SQL metacharacters such as single quotes, UNION, SELECT, --, or OR 1=1 in the occasion parameter.
  • Unexpected database errors or stack traces logged by the PHP application referencing the approve_reservation workflow.
  • Anomalous administrator sessions originating from untrusted IP addresses approving or modifying reservations.

Detection Strategies

  • Deploy web application firewall (WAF) signatures that flag SQL injection patterns targeting the occasion parameter.
  • Enable verbose query logging on the backend database and alert on syntactically anomalous queries originating from the application user.
  • Correlate administrative endpoint access with authentication events to identify credential abuse preceding injection attempts.

Monitoring Recommendations

  • Monitor outbound database connections for unusual data volumes that may indicate exfiltration via SQL injection.
  • Track failed and successful logins to /admin/ endpoints and alert on brute-force or credential-stuffing patterns.
  • Review web server access logs for repeated probing of approve_reservation.php with varying query string payloads.

How to Mitigate CVE-2025-8165

Immediate Actions Required

  • Restrict network access to the /admin/ directory using IP allowlisting or VPN-based access controls.
  • Rotate administrative credentials and enforce strong password policies on all admin accounts.
  • Place the application behind a WAF configured to block SQL injection payloads targeting the occasion parameter.

Patch Information

No official vendor patch is referenced in the NVD entry at the time of publication. Organizations running Carmelo Food Ordering Review System 1.0 should monitor the code-projects website for updates. Until a fix is released, apply the workarounds listed below or consider decommissioning the affected instance.

Workarounds

  • Modify approve_reservation.php to use parameterized queries via PDO or mysqli prepared statements instead of string concatenation.
  • Apply server-side input validation that restricts the occasion parameter to an allowlist of expected values.
  • Reduce database user privileges so the application account cannot execute schema modifications or read unrelated tables.
  • Disable or remove the affected administrative endpoint if the reservation approval workflow is not in active use.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.