CVE-2025-1576
Published: 23 February 2025
Description
A vulnerability classified as critical was found in code-projects Real Estate Property Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax_state.php. The manipulation of the argument StateName as part of String leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-1576 is a critical SQL injection vulnerability in code-projects Real Estate Property Management System 1.0. The issue resides in an unknown functionality of the file /ajax_state.php, where manipulation of the StateName argument as a string parameter enables SQL injection. Published on 2025-02-23, it is associated with CWE-74 and CWE-89, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an attacker possessing low privileges (PR:L). Exploitation requires low attack complexity over the network with no user interaction, allowing limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories and further details are documented in references such as VulDB entries at https://vuldb.com/?ctiid.296551, https://vuldb.com/?id.296551, and https://vuldb.com/?submit.502071, as well as a GitHub repository at https://github.com/fjl1113/cve/blob/main/sql-fjl.md containing exploit information. The exploit has been publicly disclosed and may be used.
The vulnerability's public exploit disclosure heightens the risk for unpatched instances of the affected software.
Details
- CWE(s)