CVE-2025-1874

Critical

Published: 03 March 2025

Published

03 March 2025

Modified

07 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SQL injection vulnerability have been found in 101news affecting version 1.0 through the "description" parameter in admin/add-category.php.

Security Summary

CVE-2025-1874 is a SQL injection vulnerability (CWE-89) discovered in the 101news application, affecting version 1.0 through the "description" parameter in the admin/add-category.php component. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation grants high-impact access to confidentiality, integrity, and availability, enabling arbitrary SQL query execution that could result in data exfiltration, modification, or deletion.

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news covers this issue among multiple vulnerabilities in 101news and provides related guidance for practitioners.

Details

CWE(s): CWE-89

Affected Products

mayurik

best online news portal

1.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-101news
Third Party Advisory · cve-coordination@incibe.es