CVE-2025-0336
Published: 09 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0336 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips Project Management System 1.0. The flaw affects an unknown part of the file /pages/forms/teacher.php, where manipulation of the "name" argument enables SQL injection. Published on 2025-01-09, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges can exploit this vulnerability remotely by injecting malicious SQL via the "name" argument. Successful exploitation allows limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the scope of the low-privilege account.
Advisories provide further details at https://github.com/fuulof/CVE/issues/1, https://vuldb.com/?ctiid.290823, https://vuldb.com/?id.290823, and https://vuldb.com/?submit.475493. The exploit has been publicly disclosed and may be used.
The vulnerability has no reported real-world exploitation at this time.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing web application (/pages/forms/teacher.php) enables remote exploitation of public-facing applications (T1190) and facilitates unauthorized collection of data from databases via injected queries (T1213.006).