CVE-2025-0230
Published: 05 January 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-0230 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Responsive Hotel Site 1.0. The flaw resides in an unknown function within the file /admin/print.php, where manipulation of the "pid" argument enables SQL injection. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-05.
Attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required, but it necessitates low privileges such as a standard authenticated user account. Successful exploitation allows limited impacts, including partial unauthorized disclosure of sensitive data (C:L), minor manipulation of data or configuration (I:L), and limited denial of service (A:L).
VulDB advisories (ctiid.290226, id.290226) and related submissions detail the issue, while a GitHub repository at Huandtx/cve contains a public proof-of-concept exploit in sql1.md. The code-projects.org vendor page is referenced, but no specific patches or mitigations are outlined in the disclosure. Security practitioners should monitor these sources for updates and apply input sanitization or access controls to the affected endpoint as interim measures. The exploit has been publicly disclosed and may be in use.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in /admin/print.php enables exploitation of public-facing web applications (T1190), abuse of server software components for malicious SQL execution (T1505), and collection of data from databases via UNION queries (T1213.006).