CVE-2025-2036
Published: 06 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2036 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting s-a-zhd Ecommerce-Website-using-PHP version 1.0. The flaw exists in an unknown part of the file details.php, where manipulation of the pro_id argument enables SQL code injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-06.
The vulnerability is exploitable remotely by attackers possessing low privileges, such as authenticated users, with low attack complexity and no requirement for user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling unauthorized data access, modification, or disruption within the affected application.
Advisories referenced on VulDB (ctiid.298779, id.298779, submit.512405) and WebSecurityInsights detail the vulnerability and confirm that the exploit has been disclosed publicly, making it available for potential use by attackers. No specific patches or mitigations are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing PHP web app (details.php) directly enables remote exploitation of the application via T1190.