A critical hard-coded credential vulnerability in Vvveb allows unauthenticated attackers to gain full administrative access to the underlying database.

This is a hard-coded credential vulnerability within the docker-compose-apache.yaml file. An unauthenticated attacker can connect to the phpMyAdmin service and execute arbitrary read/write queries against the Vvveb database.

The ability for an unauthenticated attacker to access the database poses a catastrophic risk to data confidentiality and integrity. Successful exploitation leads to full account takeover, exfiltration of customer personally identifiable information (PII), and potential manipulation of order data, justifying the 9.8 CVSS score.

Immediate Action: Update Vvveb to version 1.0.8.2 or later immediately to remove the hard-coded credentials.

Proactive Monitoring: Monitor database access logs for connections from unknown IP addresses and inspect phpMyAdmin access patterns for anomalous query behavior.

Compensating Controls: Restrict network access to the phpMyAdmin port (typically 8080 or 3306) via firewall rules or VPN requirements to prevent external exposure.

Public Exploit Available: false

Given the ease of exploitation and the severity of the potential impact, organizations must prioritize patching this vulnerability immediately. Ensure that any existing database credentials have been rotated if the instance was exposed to an untrusted network.