CVE-2025-1379
Published: 17 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1379 is a critical SQL injection vulnerability affecting code-projects Real Estate Property Management System 1.0. The issue resides in an unknown functionality of the file /Admin/CustomerReport.php, where manipulation of the "city" argument enables SQL injection. Published on 2025-02-17, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 and CWE-89.
The vulnerability is remotely exploitable by low-privileged users (PR:L) with low attack complexity and no user interaction required. Attackers can inject malicious SQL via the "city" parameter to compromise confidentiality, integrity, and availability at a low level, potentially allowing limited data access, modification, or disruption within the application's database context. A proof-of-concept exploit has been publicly disclosed.
Advisories on VulDB (ctiid.295987, id.295987, submit.501070) and the project site at code-projects.org provide further details, alongside a GitHub-hosted POC at https://github.com/1337g/realestatepropertymanagement_poc/blob/main/gu3.pdf. No specific patches or mitigations are detailed in the available references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/Admin/CustomerReport.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505 as cited in advisory), and collection of data from databases via arbitrary SQL queries (T1213.006).