CVE-2025-2041
Published: 06 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2041 is a critical SQL injection vulnerability in s-a-zhd Ecommerce-Website-using-PHP version 1.0. The issue affects unknown functionality within the /shop.php file, where manipulation of the p_cat argument enables SQL injection. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')).
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring low attack complexity (AC:L) over the network (AV:N) with no user interaction (UI:N) and no impact on scope (S:U). Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as scored at CVSS 6.3 (CVSS:3.1). This could enable unauthorized data access, modification, or disruption via injected SQL payloads.
Advisories from VulDB detail the vulnerability, including submission records and a specific entry for the issue, while a blog post on websecurityinsights.my.id provides further analysis of the SQL injection in /shop.php?p_cat. No patches or specific mitigations are detailed in the available references. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing PHP web app (/shop.php) directly enables exploitation of public-facing applications.