CVE-2025-1168
Published: 11 February 2025
Description
A vulnerability was found in SourceCodester Contact Manager with Export to VCF 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/delete-contact.php. The manipulation of the argument contact leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-1168 is a critical SQL injection vulnerability in SourceCodester Contact Manager with Export to VCF 1.0, published on 2025-02-11. The flaw affects unknown code within the file /endpoint/delete-contact.php, where manipulation of the 'contact' argument enables SQL injection. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an attacker with low privileges, requiring low attack complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via SQL injection.
Advisories detailing the issue are available from VulDB at https://vuldb.com/?ctiid.295072, https://vuldb.com/?id.295072, and https://vuldb.com/?submit.494766, along with the vendor site at https://www.sourcecodester.com/. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)