CVE-2025-0701
Published: 24 January 2025
Description
A vulnerability classified as critical has been found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. This affects an unknown part of the file /admin/sys/user/list. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
Security Summary
CVE-2025-0701 is a critical SQL injection vulnerability in the JoeyBling bootplus project, affecting an unknown part of the /admin/sys/user/list file up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The flaw stems from manipulation of the "sort" argument, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It was published on 2025-01-24 and carries a CVSS v3.1 base score of 6.3.
An attacker can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N), without changing scope (S:U). Successful exploitation enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing unauthorized data access, modification, or disruption via injected SQL queries.
Advisories on VulDB (ctiid.293229, id.293229) and GitHub (JoeyBling/bootplus issues #23 and #2786909921) confirm the remote exploitability and note that it has been publicly disclosed and may be used. The project follows a rolling release model for continuous delivery, so no specific versions for affected or updated releases are provided; security practitioners should update to the latest commits for mitigation.
Details
- CWE(s)