CVE-2025-0298
Published: 07 January 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-0298 is a SQL injection vulnerability in code-projects Online Book Shop 1.0. The flaw affects the processing of the /process_login.php file, where manipulation of the "usernm" argument enables SQL code injection. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it maps to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability was published on 2025-01-07.
The attack can be initiated remotely by adversaries with low privileges, requiring low attack complexity and no user interaction. Exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or service disruption via injected SQL queries.
Advisories referenced in VulDB entries (vuldb.com/?ctiid.290447, vuldb.com/?id.290447, vuldb.com/?submit.475159) document the issue, while a public exploit is available in a GitHub Gist (gist.github.com/th4s1s/5435e605e6e9f14a5b76c313483eb58a) and the project site is at code-projects.org. No patches or specific mitigations are detailed in the provided information, and the exploit has been disclosed publicly for potential use.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app login endpoint enables initial access via exploitation (T1190), data collection from databases (T1213.006), and abuse of server software components potentially leading to RCE (T1505 as cited in advisory).