CVE-2025-1197
Published: 12 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1197 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Real Estate Property Management System 1.0. The flaw resides in an unknown functionality of the file /_parse/load_user-profile.php, where manipulation of the userhash argument enables SQL code injection. Published on 2025-02-12, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable by an attacker possessing low privileges. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, with the exploit publicly disclosed and potentially usable by adversaries.
Advisories and additional details are available via references including VulDB entries (ctiid.295105, id.295105, submit.496856), a GitHub repository at YinshengLu/CVE containing cve3.pdf, and the vendor site at code-projects.org. No specific patches or mitigations are detailed in the core description.
The exploit disclosure heightens the risk of active use against unpatched instances of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/load_user-profile.php) enables remote exploitation of public-facing apps (T1190) and server software components (T1505, as noted in advisory), facilitating arbitrary database queries for data collection from databases (T1213.006).