CVE-2025-1872

Critical

Published: 03 March 2025

Published

03 March 2025

Modified

07 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SQL injection vulnerability have been found in 101news affecting version 1.0 through the "sadminusername" parameter in admin/add-subadmins.php.

Security Summary

CVE-2025-1872 is a SQL injection vulnerability (CWE-89) in the 101news application, affecting version 1.0 via the "sadminusername" parameter in the admin/add-subadmins.php component. Published on 2025-03-03T13:15:12.400, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote attackers require no privileges or user interaction and can exploit the issue over the network with low attack complexity. Exploitation enables high confidentiality, integrity, and availability impacts, allowing arbitrary SQL injection to potentially compromise the underlying database.

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news details this and other vulnerabilities in 101news, providing guidance on mitigation measures.

Details

CWE(s): CWE-89

Affected Products

mayurik

best online news portal

1.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news
Third Party Advisory · cve-coordination@incibe.es