CVE-2025-0176
Published: 03 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0176 is a SQL injection vulnerability in the Point of Sales and Inventory Management System 1.0 developed by code-projects. The issue resides in the processing of the file /user/add_cart.php, where manipulation of the id/qty arguments enables injection attacks. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability was published on January 3, 2025.
Remote attackers with low privileges can exploit this vulnerability by manipulating the id/qty parameters in requests to /user/add_cart.php, leading to SQL injection. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption within the application's database.
Advisories and details are documented on VulDB (ctiid.290105, id.290105, submit.473347), with a public proof-of-concept exploit available at a GitHub Gist. The original software source is hosted at code-projects.org. No specific patches or mitigations are detailed in the available references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/user/add_cart.php) enables exploitation of public-facing application (T1190), abuse of server software component for SQL command execution (T1505 as noted in advisory), and collection of data from databases (T1213.006) via arbitrary SQL queries.