CVE-2025-0533
Published: 17 January 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-0533 is a critical SQL injection vulnerability (CWE-74, CWE-89) in the 1000 Projects Campaign Management System Platform for Women version 1.0. The flaw resides in an unknown functionality of the file /Code/sc_login.php, where manipulation of the uname argument triggers the injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-17.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can launch SQL injection attacks over the network with low complexity, potentially compromising low levels of confidentiality, integrity, and availability on affected systems. The exploit has been disclosed publicly and may be actively used.
Advisories provide details via references including the project site at https://1000projects.org/, a GitHub issue at https://github.com/onupset/CVE/issues/2, and VulDB entries at https://vuldb.com/?ctiid.292417, https://vuldb.com/?id.292417, and https://vuldb.com/?submit.479119. No specific patches or mitigations are detailed in the core description.
The public disclosure of the exploit heightens the urgency for users of the affected platform to review these resources for remediation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web login endpoint (/Code/sc_login.php) enables exploitation of public-facing applications (T1190), arbitrary SQL execution via server software component (T1505), and data collection from databases (T1213.006) including enumeration and dumping.