CVE-2025-2064
Published: 07 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2064 is a critical SQL injection vulnerability (CWE-74, CWE-89) in projectworlds Life Insurance Management System 1.0. The flaw resides in an unknown functionality of the /deletePayment.php file, where manipulation of the recipt_no argument triggers the injection. Published on 2025-03-07, it carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized SQL query execution.
Advisories and further details are documented on VulDB (https://vuldb.com/?ctiid.298820, https://vuldb.com/?id.298820, https://vuldb.com/?submit.514751) and a GitHub issue (https://github.com/ubfbuz3/cve/issues/6). The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing /deletePayment.php enables initial access via exploitation of public-facing application (T1190), server software component abuse (T1505 as cited in advisory), and data collection from databases (T1213.006) through query manipulation, enumeration, leakage, and tampering.