CVE-2025-1172
Published: 11 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1172 is a critical SQL injection vulnerability affecting the 1000 Projects Bookstore Management System version 1.0. The issue resides in unknown functionality within the file addtocart.php, where manipulation of the bcid argument enables SQL injection. Published on 2025-02-11, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability is exploitable remotely by attackers possessing low privileges, with low complexity and no requirement for user interaction. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption via injected SQL payloads.
Advisories and related details are available via references including the vendor site at https://1000projects.org/, a GitHub proof-of-concept at https://github.com/NeoVuln/CVE/issues/1, and VulDB entries at https://vuldb.com/?ctiid.295076, https://vuldb.com/?id.295076, and https://vuldb.com/?submit.495183. The exploit has been publicly disclosed and may be used by attackers.
Notable context includes the public availability of the exploit, increasing the risk of immediate exploitation against unpatched instances of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (addtocart.php) enables exploitation of public-facing application (T1190), abuse of server software component via injected SQL (T1505 as cited in advisory), and collection from databases (T1213.006) as demonstrated by POC extracting database names.