CVE-2025-1173
Published: 11 February 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1173 is a critical SQL injection vulnerability in the 1000 Projects Bookstore Management System version 1.0. The issue resides in an unspecified component of the file process_users_del.php, where manipulation of the "id" argument enables SQL injection. Associated with CWE-74 (improper neutralization of special elements) and CWE-89 (SQL injection), it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating medium severity despite the critical classification.
Exploitation requires network access with low complexity and high privileges (PR:H), such as an authenticated administrative user, and no user interaction. A remote attacker could inject malicious SQL via the "id" parameter during user deletion processes, potentially resulting in limited impacts: low confidentiality (e.g., partial data exposure), low integrity (e.g., minor unauthorized modifications), and low availability (e.g., minor denial of service).
Advisories are documented on VulDB (ctiid.295077, id.295077, submit.495309), a GitHub issue at NeoVuln/CVE #2, and the project site at 1000projects.org. No specific patch or mitigation details are outlined in the provided references; practitioners should review these sources for updates, such as input sanitization or parameterized queries in process_users_del.php.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in process_users_del.php enables arbitrary SQL query execution, facilitating data collection from databases (T1213.006) and abuse of server software components (T1505 as cited in advisories).