CVE-2025-1117
Published: 08 February 2025
Description
A vulnerability, which was classified as critical, was found in CoinRemitter 0.0.1/0.0.2 on OpenCart. This affects an unknown part. The manipulation of the argument coin leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.3 is able to address this issue. It is recommended to upgrade the affected component.
Security Summary
CVE-2025-1117 is a critical SQL injection vulnerability in CoinRemitter versions 0.0.1 and 0.0.2 running on OpenCart. The flaw arises from improper neutralization of the 'coin' argument in an unknown component, allowing attackers to manipulate SQL queries. Mapped to CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), enabling network-based exploitation without authentication or user interaction.
Unauthenticated remote attackers can exploit this vulnerability by manipulating the 'coin' parameter in requests to affected CoinRemitter instances on OpenCart. Successful exploitation grants limited access to confidential data, moderate integrity disruptions such as data alteration, and low availability impacts like denial of service, depending on the database backend and privileges.
VulDB advisories and the CoinRemitter GitHub release recommend upgrading to version 0.0.3, which addresses the issue. A proof-of-concept exploit has been publicly disclosed via a GitHub Gist, increasing the risk of widespread abuse.
The exploit's public availability heightens the urgency for patching, as it may facilitate immediate attacks on unpatched e-commerce sites using vulnerable CoinRemitter modules.
Details
- CWE(s)