CVE-2025-0700

CVE-2025-0700 is a SQL injection vulnerability in the JoeyBling bootplus project, affecting commits up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The issue resides in an unknown functionality of the /admin/sys/log/list file, where manipulation of the logId argument enables the injection. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it is associated with CWE-74 and CWE-89. The product uses a rolling release model, so no specific affected or patched version details are available.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption through SQL injection.

Advisories referenced in GitHub issues at https://github.com/JoeyBling/bootplus/issues/22 and https://github.com/JoeyBling/bootplus/issues/22#issue-2786899884, along with VulDB entries at https://vuldb.com/?ctiid.293228, https://vuldb.com/?id.293228, and https://vuldb.com/?submit.480838, document the issue but provide no explicit mitigation or patch details due to the rolling release nature. The exploit has been publicly disclosed and may be used by attackers.

Notable context includes the public availability of the exploit, published on 2025-01-24, increasing the risk of active exploitation in unpatched instances of bootplus.