CVE-2025-2037
Published: 06 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2037 is a SQL injection vulnerability affecting code-projects Blood Bank Management System 1.0. The flaw exists in unknown code within the file /user_dashboard/delete_requester.php, where manipulation of the requester_id argument enables SQL injection. Published on 2025-03-06, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability allows remote exploitation by low-privileged users over the network with low attack complexity and no user interaction. Successful exploitation enables limited impacts, including unauthorized low-level access to data (confidentiality), modification of data (integrity), and disruption of service (availability).
Advisories and details are documented on VulDB (https://vuldb.com/?ctiid.298780, https://vuldb.com/?id.298780, https://vuldb.com/?submit.512550), with the original project at https://code-projects.org/. A public exploit is available at https://github.com/intercpt/XSS1/blob/main/SQL1.md and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/user_dashboard/delete_requester.php) enables exploitation of public-facing applications (T1190), abuse of server software components like databases (T1505), and data collection from databases (T1213.006).