CVE-2025-0563
Published: 19 January 2025
Description
A vulnerability was found in code-projects Fantasy-Cricket 1.0. It has been classified as critical. Affected is an unknown function of the file /dash/update.php. The manipulation of the argument uname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-0563 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Fantasy-Cricket version 1.0. The flaw resides in an unknown function within the file /dash/update.php, where manipulation of the uname argument enables SQL injection. Published on 2025-01-19, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable over the network with low attack complexity and requires low privileges from the attacker, with no user interaction needed. Successful exploitation allows an attacker to achieve low-level impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL queries.
Advisories and details are documented in references including VulDB entries at https://vuldb.com/?ctiid.292524, https://vuldb.com/?id.292524, and https://vuldb.com/?submit.484185, as well as a GitHub issue at https://github.com/LiuSir5211314/-sir/issues/2 and the project site at https://code-projects.org/. No specific patch or mitigation steps are detailed in the available information.
The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)