CVE-2025-1189
Published: 12 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1189 is a critical SQL injection vulnerability in the 1000 Projects Attendance Tracking Management System version 1.0. The flaw affects an unknown functionality within the /admin/chart1.php file, where manipulation of the course_id argument enables SQL injection. Published on 2025-02-12T10:15:14.540, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-74 and CWE-89.
The vulnerability is exploitable remotely by authenticated attackers with low privileges, requiring low complexity and no user interaction. Successful exploitation grants limited access to confidential data, enables minor modifications to system integrity, and allows low-level denial of service, potentially compromising attendance tracking data or related administrative functions.
Advisories from VulDB (ctiid.295095, id.295095, submit.496452) and a GitHub repository detail the issue, while the vendor site at 1000projects.org provides context on the software. The exploit has been publicly disclosed and may be actively used by attackers. No specific patches or mitigations are outlined in the initial disclosure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/admin/chart1.php) enables exploitation for initial access (T1190) and arbitrary database queries for data collection (T1213.006).