CVE-2025-0842
Published: 29 January 2025
Description
A vulnerability was found in needyamin Library Card System 1.0 and classified as critical. This issue affects some unknown processing of the file admin.php of the component Login. The manipulation of the argument email/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-0842 is a critical SQL injection vulnerability (CWE-74, CWE-89) in needyamin Library Card System 1.0. The issue resides in the unknown processing of the admin.php file within the Login component, where manipulation of the email and password arguments triggers the injection.
Attackers can exploit this remotely without authentication or user interaction, requiring only low attack complexity, as reflected in the CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables limited impacts on confidentiality, integrity, and availability.
VulDB advisories (vuldb.com/?ctiid.293999, vuldb.com/?id.293999, vuldb.com/?submit.485540) document the vulnerability, and a proof-of-concept demonstrating admin login bypass is available at websecurityinsights.my.id/2025/01/library-card-system-admin-login-bypass.html. The exploit has been publicly disclosed and may be used; no patches are referenced in the provided details.
The vulnerability was published on 2025-01-29, with the exploit already public.
Details
- CWE(s)