CVE-2025-0203
Published: 04 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0203 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Student Management System version 1.0. The issue resides in the showSubject1 function within the file /config/DbFunction.php, where manipulation of the sid argument enables injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely.
An attacker requires low privileges, such as those of an authenticated user, to initiate the attack over the network with low complexity and no user interaction. Exploitation allows limited impacts, including partial unauthorized disclosure of information, modification of data, or denial of service affecting availability.
Advisories on VulDB detail the vulnerability and note that the exploit has been publicly disclosed via a GitHub Gist, making it available for use. Practitioners should review references including code-projects.org, https://gist.github.com/th4s1s/e8488d7e35d789581979f3b7e4c48b1f, and VulDB entries (ctiid.290140, id.290140, submit.473410) for mitigation steps, as other parameters may also be vulnerable.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application enables exploitation of public-facing application (T1190), server software component abuse (T1505 as cited in advisory), and data collection from databases via arbitrary queries (T1213.006).