CVE-2025-2033
Published: 06 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2033 is a critical SQL injection vulnerability in code-projects Blood Bank Management System 1.0. The issue affects an unknown function within the file /user_dashboard/view_donor.php, where the donor_id argument can be manipulated to trigger the injection. It is remotely exploitable and has been assigned a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), with associated CWEs CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
An attacker with low privileges (PR:L), such as an authenticated user, can exploit this vulnerability remotely with little complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially enabling unauthorized data access, modification, or disruption within the application's database.
Advisories and details are available via VulDB entries (ctiid.298776, id.298776) and a submit reference (submit.512164), along with the project site at code-projects.org. A public exploit disclosure exists in a GitHub repository at github.com/intercpt/XSS1/blob/main/SQL.md, indicating the attack may be readily usable.
The exploit has been publicly disclosed, increasing the risk of active exploitation against unpatched instances of Blood Bank Management System 1.0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (/user_dashboard/view_donor.php) enables exploitation of public-facing application (T1190), server software component abuse (T1505 per advisory), and data collection from databases (T1213.006) via arbitrary SQL queries.