CVE-2025-2039
Published: 06 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2039 is a critical SQL injection vulnerability in code-projects Blood Bank Management System version 1.0. The issue affects an unknown function within the file /admin/delete_members.php, where manipulation of the member_id argument enables SQL injection. Published on 2025-03-06, it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability can be exploited remotely by an attacker with high privileges (PR:H), such as an authenticated admin user. Successful exploitation allows limited impacts: low confidentiality (C:L), integrity (I:L), and availability (A:L) effects, potentially enabling unauthorized data access, modification, or disruption within the database scope. A public exploit disclosure exists, increasing the risk of targeted attacks.
Advisories and related details are available from sources including the project site at https://code-projects.org/, a GitHub proof-of-concept at https://github.com/intercpt/XSS1/blob/main/SQL4.md, and VulDB entries at https://vuldb.com/?ctiid.298782, https://vuldb.com/?id.298782, and https://vuldb.com/?submit.512564, which may provide further guidance on detection or remediation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in web application admin endpoint enables exploitation of public-facing application (T1190), abuse of server software component (T1505 as assigned in advisory), and data collection from databases via arbitrary SQL queries (T1213.006).