CVE-2025-0168
Published: 01 January 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-0168 is a critical SQL injection vulnerability in code-projects Job Recruitment 1.0, affecting an unknown functionality within the file /_parse/_feedback_system.php. The issue arises from improper handling of the 'person' argument, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-01.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring network access and no user interaction. Successful manipulation of the 'person' argument enables SQL injection, potentially allowing limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as unauthorized data access, modification, or disruption depending on the database backend.
Advisories from VulDB (ctiid.289917, id.289917, submit.473107) document the issue, while a proof-of-concept exploit is publicly available on GitHub at github.com/UnrealdDei/cve/blob/main/sql11.md. No patches or specific mitigations are detailed in the provided references, and the developer site code-projects.org hosts the affected software. The exploit disclosure increases the risk of active exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app enables initial access (T1190), data collection from databases via arbitrary queries (T1213.006), and execution via server software component as mapped by VulDB (T1505).