CVE-2025-1850
Published: 03 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1850 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips College Management System 1.0. The issue resides in an unknown functionality of the /university.php file, where manipulation of the book_name argument enables SQL code injection. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized database access, data manipulation, or disruption depending on the backend SQL implementation.
Advisories and references, including VulDB entries and a GitHub repository from WHOAMI-xiaoyu, confirm the exploit has been publicly disclosed and is available for use. No specific patches or mitigations are detailed in the provided information.
The public availability of the exploit PoC heightens the risk for unpatched instances of this college management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/university.php) enables initial access via exploitation of public-facing applications (T1190), execution through server software component abuse (T1505), and collection from databases (T1213.006).