CVE Alert: CVE-2025-10448 - Campcodes - Online Job Finder System

CVE-2025-10448

HIGHNo exploitation knownPoC observed

A flaw has been found in Campcodes Online Job Finder System 1.0. This affects an unknown function of the file /index.php?q=result&searchfor=bycompany. This manipulation of the argument Search causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Online Job Finder System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-15T14:02:07.388Z

Updated

2025-09-15T14:54:20.242Z

References

https://vuldb.com/?id.323882

https://vuldb.com/?ctiid.323882

https://vuldb.com/?submit.648023

https://github.com/HAO-RAY/HCR-CVE/issues/7

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk: remote SQL injection with a publicly demonstrated PoC, making exploitation feasible without authentication.

Why this matters

Attackers can access or modify data in the underlying database, potentially exposing confidential candidate or employer data and impacting integrity. Given the PoC exists, there is a real likelihood of automated scanning and exploitation against any public instance, with possible regulatory and reputational consequences.

Most likely attack path

An attacker sends crafted input to the search parameter in index.php, triggering an SQL injection via the vulnerable query. No user interaction or authentication is required; successful payloads can exfiltrate data or alter records, with limited blasts across the database due to a low- to moderate-impact surface.

Who is most exposed

Public-facing deployments of Campcodes Online Job Finder System v1.0 are at greatest risk, especially those hosted on broadly accessible web servers or shared hosting without strict input sanitisation or database access controls.

Detection ideas

WAF/logs showing unusual payloads in the q=result&searchfor=bycompany parameter.
Database error messages or stack traces in application or server logs.
Repeated unusual query patterns or timeouts tied to search requests.
Sudden spikes in traffic from automated scanners targeting SQLi patterns.
IOC indicators from CTI feeds or indicator lists matching this CVE.

Mitigation and prioritisation

Apply vendor patch or upgrade to a fixed version immediately; if unavailable, implement rigorous input validation and parameterised queries.
Enable and tune a WAF to block SQLi patterns and suppress detailed error messages.
Restrict database permissions (PR:N) for web app user, and use least-privilege accounts.
Harden error handling and logging; centralise alerting for SQL errors and anomalous search queries.
Develop a quick-change plan for patch deployment and perform root-cause verification in a test environment.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-10448, online-job-finder-system, OSINT, threatintel

CVE Alert: CVE-2025-10448 – Campcodes – Online Job Finder System