CVE-2025-1963

HighPublic PoC

Published: 05 March 2025

Published

05 March 2025

Modified

02 April 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 13.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-1963 is a critical SQL injection vulnerability (CWE-74, CWE-89) in projectworlds Online Hotel Booking version 1.0. The flaw affects unknown code within the /reservation.php file, where manipulation of the 'checkin' argument enables injection of malicious SQL queries. Published on 2025-03-05, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption via injected SQL payloads. An exploit has been publicly disclosed and may be in use.

Advisories and details are available via VulDB entries (ctiid.298564, id.298564, submit.511466) and a GitHub issue at ubfbuz3/cve/issues/2, which include the disclosed exploit. No specific patches or mitigations are detailed in the core description, so security practitioners should review these references for updates, such as applying input sanitization or upgrading the software.

Details

CWE(s): CWE-74CWE-89

Affected Products

projectworlds

online hotel booking

1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web app (/reservation.php) enables exploitation of public-facing application (T1190), abuse of server software component (T1505), and data collection from databases via queries like --dbs (T1213.006).

References

https://github.com/ubfbuz3/cve/issues/2
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.298564
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.298564
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.511466
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/ubfbuz3/cve/issues/2
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0