CVE-2025-1965
Published: 05 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1965 is a critical SQL injection vulnerability in projectworlds Online Hotel Booking version 1.0. The issue affects an unknown function within the /admin/login.php file, where manipulation of the emailusername argument enables SQL injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-05.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, low attack complexity, and no user interaction needed. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads in the login process.
Advisories and details are documented in sources including VulDB entries (ctiid.298566, id.298566, submit.511473) and a GitHub issue at ubfbuz3/cve/issues/4. The exploit has been publicly disclosed and may be used by attackers.
Notable context includes the public availability of the exploit, increasing the risk for unpatched instances of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing web application (/admin/login.php) enables exploitation of public-facing applications (T1190) and collection of data from backend databases (T1213.006) via query manipulation, data dumping, and enumeration as demonstrated in POC.