CVE-2025-0698
Published: 24 January 2025
Description
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been classified as critical. Affected is an unknown function of the file /admin/sys/menu/list. The manipulation of the argument sort/order leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
Security Summary
CVE-2025-0698 is a SQL injection vulnerability (classified under CWE-74 and CWE-89) in JoeyBling bootplus up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The flaw affects an unknown function in the file /admin/sys/menu/list, where manipulation of the sort/order arguments enables SQL injection.
The vulnerability is exploitable remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low complexity (AV:N/AC:L/UI:N). Per its CVSS v3.1 base score of 6.3 (C:L/I:L/A:L/S:U), exploitation can result in limited impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed and may be used.
Advisories, including GitHub issues #19 and #19#issue-2786879797 in the bootplus repository as well as VulDB entries, provide details on the issue. The project employs continuous delivery with rolling releases, so no specific affected or patched versions are available; security practitioners should monitor the repository for updates beyond the referenced commit.
Details
- CWE(s)