CVE-2025-0947
Published: 01 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0947 is a critical SQL injection vulnerability in itsourcecode Tailoring Management System 1.0, published on 2025-02-01. The issue affects unknown functionality in the file expview.php, where manipulation of the 'expid' argument enables the injection. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability allows remote exploitation by attackers possessing low privileges, with low attack complexity and no requirement for user interaction. Successful attacks can result in limited impacts: partial disclosure of sensitive information (low confidentiality), limited modification of data or system settings (low integrity), and limited denial of service (low availability).
Advisories and references, including VulDB entries at https://vuldb.com/?ctiid.294302 and https://vuldb.com/?id.294302, a GitHub issue at https://github.com/magic2353112890/cve/issues/7, and the vendor site at https://itsourcecode.com/, provide further details but do not specify patches or mitigations in the available information.
The exploit has been disclosed publicly and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing web application (expview.php and others) enables exploitation of public-facing applications (T1190) and facilitates collection of data from databases via unauthorized queries (T1213.006).