CVE-2025-0534
Published: 17 January 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-0534 is a critical SQL injection vulnerability affecting the 1000 Projects Campaign Management System Platform for Women version 1.0. The issue resides in unknown functionality of the file /Code/loginnew.php, where manipulation of the Username argument enables SQL injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 and CWE-89. The vulnerability was published on 2025-01-17T19:15:28.777.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. By injecting malicious SQL payloads into the Username parameter, attackers can potentially compromise confidentiality, integrity, and availability to a low degree, such as extracting limited sensitive data, altering database entries, or causing minor service disruptions.
Advisories indicate that the exploit has been disclosed to the public and may be used. Key references include the project site at https://1000projects.org/, a GitHub issue at https://github.com/onupset/CVE/issues/3, and VulDB entries at https://vuldb.com/?ctiid.292418, https://vuldb.com/?id.292418, and https://vuldb.com/?submit.479128.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web app (/Code/loginnew.php) enables exploitation of public-facing applications (T1190), data collection from databases via arbitrary queries (T1213.006), and abuse of server software components (T1505, as noted in advisory).