CVE-2025-1870

Critical

Published: 03 March 2025

Published

03 March 2025

Modified

07 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SQL injection vulnerability have been found in 101news affecting version 1.0 through the "pagedescription" parameter in admin/aboutus.php.

Security Summary

CVE-2025-1870 is an SQL injection vulnerability (CWE-89) discovered in the 101news application, affecting version 1.0 through the "pagedescription" parameter in the admin/aboutus.php component. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, typically through arbitrary SQL query execution that could lead to data exfiltration, modification, or denial of service.

The INCIBE-CERT advisory on multiple vulnerabilities in 101news provides further details, available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news.

Details

CWE(s): CWE-89

Affected Products

mayurik

best online news portal

1.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news
Third Party Advisory · cve-coordination@incibe.es