CVE-2025-0205
Published: 04 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0205 is a SQL injection vulnerability (CWE-74, CWE-89) classified as critical in the code-projects Online Shoe Store 1.0 application. The flaw resides in an unknown function within the /details2.php file, where manipulation of the 'id' argument enables SQL injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L) and was published on 2025-01-04.
The vulnerability is exploitable remotely by an attacker possessing low privileges. Successful exploitation can result in low-level impacts to confidentiality, integrity, and availability.
Advisories from VulDB (ctiid.290142, id.290142, submit.474032) provide further details, including a public exploit disclosed via a GitHub Gist. The project site at code-projects.org hosts the affected software, but no specific patch or mitigation steps are outlined in the CVE description.
The exploit has been disclosed to the public and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (/details2.php) enables exploitation of public-facing application (T1190), abuse of server software component for potential RCE (T1505 as assigned by VulDB), and data collection from databases (T1213.006) via unauthorized DB queries.