CVE-2025-2054
Published: 07 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2054 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Blood Bank Management System 1.0 from code-projects.org. The flaw affects an unknown functionality within the file /admin/edit_state.php, where manipulation of the state_id argument enables SQL injection. The vulnerability carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely.
A remote attacker with high privileges can exploit this vulnerability with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries.
Advisories from VulDB (ctiid.298807, id.298807, submit.514346) and a GitHub repository (intercpt/XSS1/blob/main/SQL6.md) document the issue, with the exploit publicly disclosed and available for use. No specific patches or mitigations are mentioned in the provided details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability enables arbitrary database queries, facilitating execution or command execution via server software components (T1505) and collection from databases (T1213.006) as mapped in advisories.