CVE-2025-0487

MediumPublic PoC

Published: 15 January 2025

Published

15 January 2025

Modified

27 February 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 28.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Fanli2012 native-php-cms 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /fladmin/cat_edit.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Security Summary

CVE-2025-0487 is a SQL injection vulnerability (CWE-74, CWE-89) in Fanli2012 native-php-cms version 1.0. The issue affects unknown functionality in the file /fladmin/cat_edit.php, where manipulation of the 'id' argument triggers the injection. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it was published on 2025-01-15T21:15:15.160.

A remote attacker with low privileges can exploit this vulnerability without user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability through SQL injection.

Advisories on VulDB (ctiid.291932, id.291932, submit.475254) and the project's GitHub repository (Fanli2012/native-php-cms issues #9 and #9#issue-2769962332) detail the issue, with the exploit publicly disclosed.

Details

CWE(s): CWE-74CWE-89

Affected Products

fanli2012

native-php-cms

1.0

References

https://github.com/Fanli2012/native-php-cms/issues/9
Exploit · cna@vuldb.com
https://github.com/Fanli2012/native-php-cms/issues/9#issue-2769962332
Exploit · cna@vuldb.com
https://vuldb.com/?ctiid.291932
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.291932
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.475254
Third Party Advisory, VDB Entry · cna@vuldb.com