CVE-2025-0699
Published: 24 January 2025
Description
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/sys/role/list. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
Security Summary
CVE-2025-0699 is a SQL injection vulnerability (CWE-74, CWE-89) in JoeyBling bootplus up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The flaw affects an unknown functionality in the /admin/sys/role/list file, where manipulation of the sort argument triggers the injection. The product does not use versioning, so details on affected and unaffected releases are unavailable.
The vulnerability enables remote exploitation with low attack complexity and no user interaction required. Attackers need low privileges (PR:L) to target network-accessible instances, potentially achieving limited impacts on confidentiality, integrity, and availability (CVSS v3.1 base score of 6.3: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The exploit has been publicly disclosed and may be used.
Advisories and further details are available via GitHub issues at https://github.com/JoeyBling/bootplus/issues/21 and https://github.com/JoeyBling/bootplus/issues/21#issue-2786893665, as well as VulDB entries including https://vuldb.com/?ctiid.293227, https://vuldb.com/?id.293227, and https://vuldb.com/?submit.480836. No specific patch or mitigation steps are detailed in the available information.
Details
- CWE(s)