CVE-2025-1871

Critical

Published: 03 March 2025

Published

03 March 2025

Modified

07 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SQL injection vulnerability have been found in 101news affecting version 1.0 through the "category" and "subcategory" parameters in admin/add-subcategory.php.

Security Summary

CVE-2025-1871 is an SQL injection vulnerability (CWE-89) in the 101news application, affecting version 1.0 through the "category" and "subcategory" parameters in the admin/add-subcategory.php component. Published on 2025-03-03T13:15:12.253, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, typically allowing arbitrary SQL command injection to read sensitive data, modify records, or disrupt database operations.

The INCIBE-CERT advisory provides further details on this and other vulnerabilities in 101news at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news.

Details

CWE(s): CWE-89

Affected Products

mayurik

best online news portal

1.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news
Third Party Advisory · cve-coordination@incibe.es