CVE-2025-0846
Published: 30 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-0846 is a critical SQL injection vulnerability affecting the 1000 Projects Employee Task Management System version 1.0. The flaw exists in an unknown part of the file /admin/AdminLogin.php, where manipulation of the email argument triggers the injection. It is associated with CWE-74 and CWE-89, and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can initiate the attack over the network with low complexity, potentially compromising low levels of confidentiality, integrity, and availability through arbitrary SQL queries.
VulDB advisories and a GitHub issue (onupset/CVE #4) document the vulnerability, noting that the exploit has been publicly disclosed and may be used. References include the project site at https://1000projects.org/ and VulDB entries at https://vuldb.com/?ctiid.294009, https://vuldb.com/?id.294009, and https://vuldb.com/?submit.485756. No patches or specific mitigations are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in the unauthenticated /admin/AdminLogin.php endpoint of the public-facing Employee Task Management System web application enables remote attackers to execute arbitrary SQL queries (boolean-based blind and time-based blind), directly mapping to T1190: Exploit Public-Facing Application.