CVE-2025-0946
Published: 01 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0946 is a critical SQL injection vulnerability (CWE-74, CWE-89) in the itsourcecode Tailoring Management System version 1.0. The flaw affects an unknown functionality within the templatedelete.php file, where manipulation of the 'id' argument triggers the injection.
The vulnerability enables remote exploitation by low-privileged users (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, score 6.3). Attackers can launch the exploit to perform SQL injection, potentially compromising data confidentiality, integrity, and availability to a limited extent.
VulDB advisories (ctiid.294301, id.294301) document the issue, while a proof-of-concept exploit is publicly disclosed on GitHub at magic2353112890/cve/issues/7. The vendor site is itsourcecode.com, published on 2025-02-01.
The exploit has been disclosed to the public and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing PHP web application (templatedelete.php and others) enables exploitation of public-facing applications (T1190) and unauthorized database access for data collection (T1213.006), as demonstrated by sqlmap dumping database information.