CVE-2025-1210
Published: 12 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1210 is a SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Wazifa System 1.0. The issue resides in an unknown functionality within the file /controllers/control.php, where manipulation of an argument enables SQL injection. Published on 2025-02-12, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), though described as critical in advisories.
The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling unauthorized data access, modification, or disruption within the application's database.
Advisories from VulDB (ctiid.295147, id.295147, submit.497357) document the issue, with additional details at code-projects.org and a GitHub proof-of-concept at github.com/nanguawuming/CVE2/blob/main/cve3.pdf. No specific patches or mitigations are detailed in the available information.
The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in web application (/controllers/control.php) enables remote exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases (T1213.006).