CVE-2025-1374
Published: 17 February 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1374 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Real Estate Property Management System 1.0. The flaw exists in an unknown part of the /search.php file, where manipulation of the arguments StateName, CityName, AreaName, or CatId enables SQL injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-17T04:15:08.643.
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants limited access to confidential information (C:L), limited modification of data integrity (I:L), and limited denial of service (A:L), all within unchanged scope.
VulDB advisories detail the issue across entries like ctiid.295983 and id.295983, with a proof-of-concept exploit disclosed publicly in a GitHub repository (sql-gu2.pdf). The original project page at code-projects.org provides further context, but no specific patches or mitigations are outlined in the references. The exploit availability heightens the risk for exposed instances.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/search.php) enables remote exploitation (T1190), unauthorized database access and collection (T1213.006), and abuse of server software component (T1505, per advisory).