CVE-2025-1873

Critical

Published: 03 March 2025

Published

03 March 2025

Modified

07 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SQL injection vulnerability have been found in 101news affecting version 1.0 through the "pagetitle" and "pagedescription" parameters in admin/contactus.php.

Security Summary

CVE-2025-1873 is an SQL injection vulnerability (CWE-89) discovered in the 101news application, specifically affecting version 1.0 through the "pagetitle" and "pagedescription" parameters in the admin/contactus.php component. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impacts across confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Exploitation enables arbitrary SQL query execution, allowing attackers to potentially extract sensitive data, modify database contents, or disrupt service availability.

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news provides details on this and other vulnerabilities in 101news, including recommended mitigations.

Details

CWE(s): CWE-89

Affected Products

mayurik

best online news portal

1.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news
Third Party Advisory · cve-coordination@incibe.es