CVE-2025-0873
Published: 30 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0873 is a critical SQL injection vulnerability (CWE-74, CWE-89) in itsourcecode Tailoring Management System 1.0. The issue resides in an unknown functionality of the file /customeredit.php, where manipulation of parameters including id, address, fullname, phonenumber, email, city, and comment triggers the injection. Published on 2025-01-30, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Remote attackers with low privileges can exploit this vulnerability without user interaction, potentially achieving limited impacts on confidentiality, integrity, and availability through SQL injection. The attack requires network access and low attack complexity, with the exploit publicly disclosed and available for use.
Advisories and references, including a GitHub issue at https://github.com/magic2353112890/cve/issues/5, the vendor site at https://itsourcecode.com/, and VulDB entries at https://vuldb.com/?ctiid.294067, https://vuldb.com/?id.294067, and https://vuldb.com/?submit.487984, provide further details on the vulnerability, though specific patch or mitigation guidance is not outlined in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/customeredit.php) enables exploitation for initial access (T1190) and unauthorized database queries for data collection (T1213.006).