CVE-2025-0488
Published: 15 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0488 is a critical SQL injection vulnerability in Fanli2012 native-php-cms version 1.0, affecting an unknown part of the file product_list.php. The issue arises from manipulation of the 'cat' argument and is remotely exploitable. It is associated with CWEs 74 and 89, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables low-impact violations of confidentiality, integrity, and availability, potentially allowing unauthorized access or modification of database content via SQL injection.
Advisories and further details are available in referenced sources, including GitHub issues at https://github.com/Fanli2012/native-php-cms/issues/10 and https://github.com/Fanli2012/native-php-cms/issues/10#issue-2769983658, as well as VulDB entries at https://vuldb.com/?ctiid.291933, https://vuldb.com/?id.291933, and https://vuldb.com/?submit.475255.
The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web CMS (product_list.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505 as noted in advisory), and data collection from databases via arbitrary queries (T1213.006).