CVE-2025-0527
Published: 17 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0527 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Admission Management System 1.0. The flaw resides in an unknown functionality of the file /signupconfirm.php, where manipulation of the in_eml argument enables SQL injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-17.
The vulnerability is remotely exploitable by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation via crafted in_eml payloads allows limited impacts on confidentiality, integrity, and availability, such as partial data exposure, modification, or disruption. Other parameters may also be affected.
Advisories and details are documented on VulDB (https://vuldb.com/?id.292411, https://vuldb.com/?ctiid.292411, https://vuldb.com/?submit.477899), a GitHub issue (https://github.com/Curious-L/-/issues/4), and the project site (https://code-projects.org/). No specific patches or mitigations are detailed in the CVE description.
The exploit has been publicly disclosed and may be used in the wild.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/signupconfirm.php) enables initial access via exploitation (T1190) and data collection from databases through blind/error-based payloads extracting schema and content (T1213.006).