CVE-2025-0212
Published: 04 January 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-0212 is a critical SQL injection vulnerability in Campcodes Student Grading System 1.0, affecting the /view_students.php file through manipulation of the 'id' argument. Classified under CWE-74 and CWE-89, it enables attackers to inject malicious SQL payloads into database queries. The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and requirements for low privileges.
Attackers with low-privileged user access (PR:L) can exploit this remotely without user interaction, potentially extracting sensitive data (C:L), modifying database contents (I:L), or disrupting service availability (A:L). The vulnerability allows remote initiation of SQL injection attacks on the affected endpoint.
Advisories from VulDB (ctiid.290157, id.290157, submit.474168) document the flaw and its public disclosure, while a GitHub repository provides a proof-of-concept exploit. The vendor site at campcodes.com offers no specific patch details in the referenced materials; practitioners should monitor for updates and apply input sanitization or parameterized queries to /view_students.php as interim mitigations.
The exploit has been publicly disclosed, increasing the risk of widespread abuse against unpatched instances of this system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (/view_students.php) enables exploitation of public-facing applications (T1190), data collection from databases (T1213.006), and abuse of server software components (T1505) as mapped by advisories.