CVE-2025-0536
Published: 17 January 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-0536 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting the 1000 Projects Attendance Tracking Management System version 1.0. The flaw exists in unknown code within the file /admin/edit_action.php, where manipulation of the attendance_id argument enables SQL code injection. Published on 2025-01-17, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads.
Advisories and details are documented on VulDB (ctiid.292420, id.292420, submit.479251), with a proof-of-concept exploit disclosed publicly on GitHub at lan041221/cve/blob/main/Attendance_Tracking_Management_System_SQL_Injection.md. The project website is available at https://1000projects.org/. No specific patch or mitigation guidance is detailed in the referenced sources.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (/admin/edit_action.php) enables exploitation (T1190), unauthorized database queries for data collection (T1213.006), and data tampering/deletion (T1565.001), impacting confidentiality, integrity, and availability.