CVE-2025-0229
Published: 05 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0229 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) affecting code-projects Travel Management System version 1.0. The flaw exists in the processing of the /enquiry.php file, where manipulation of arguments including pid, t1, t2, t3, t4, t5, t6, and t7 enables SQL injection attacks.
The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely by attackers possessing low privileges. Exploitation requires no user interaction and allows limited impacts on confidentiality, integrity, and availability via SQL injection, potentially enabling unauthorized data access, modification, or disruption within the affected application's database.
Advisories from VulDB (ctiid.290225, id.290225, submit.474572) and references including code-projects.org and a GitHub repository (Huandtx/cve/sql1.md) detail the issue, with the exploit publicly disclosed and available for potential use. No specific patches or mitigations are outlined in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection in the public-facing /enquiry.php endpoint enables exploitation of public-facing applications (T1190), abuse of server software components through arbitrary SQL execution (T1505 as noted in advisory), and collection of data from databases via UNION-based queries (T1213.006).