CVE-2025-0300
Published: 07 January 2025
Description
A vulnerability classified as critical was found in code-projects Online Book Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /subcat.php. The manipulation of the argument cat leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-0300 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Online Book Shop 1.0. The issue resides in an unknown functionality of the /subcat.php file, where manipulation of the 'cat' argument enables SQL injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-07T17:15:32.090.
The vulnerability allows remote exploitation by an attacker possessing low privileges. By injecting malicious SQL via the 'cat' parameter, an attacker can achieve limited impacts, including partial unauthorized disclosure of sensitive data (low confidentiality), limited modification of data or configuration (low integrity), and limited denial of service (low availability).
Advisories and references are available from VulDB (including ctiid.290449, id.290449, and submit.475286), the project site at code-projects.org, and a public exploit disclosure on GitHub Gist. No specific patches or mitigations are detailed in the provided information.
The exploit has been disclosed to the public and may be used.
Details
- CWE(s)