CVE-2025-0232
Published: 05 January 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-0232 is a SQL injection vulnerability classified as critical in Codezips Blood Bank Management System 1.0. The issue affects unknown functionality within the /successadmin.php file, where manipulation of the "psw" argument enables SQL injection. Published on 2025-01-05, it carries a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-74 and CWE-89.
The vulnerability is exploitable remotely by attackers possessing low privileges over the network. No user interaction is required, allowing manipulation that leads to SQL injection with limited impacts on confidentiality, integrity, and availability.
Advisories provide details via VulDB entries (ctiid.290228, id.290228, submit.474597) and a GitHub issue at https://github.com/alc9700jmo/CVE/issues/7. The exploit has been publicly disclosed and may be used.
The public availability of the exploit increases the risk of real-world exploitation against exposed instances of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated web endpoint (/successadmin.php) enables exploitation of public-facing applications (T1190) and server software components (T1505), allowing remote arbitrary SQL query execution for data access or manipulation.