CVE-2025-2065
Published: 07 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2065 is a critical SQL injection vulnerability in projectworlds Life Insurance Management System version 1.0, affecting an unknown functionality within the /editAgent.php file. The issue arises from improper handling of the agent_id parameter, classified under CWE-74 and CWE-89. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), enabling remote exploitation without authentication or user interaction.
Attackers can exploit this vulnerability remotely by manipulating the agent_id parameter in requests to /editAgent.php, potentially leading to unauthorized access, data manipulation, or disruption with low impacts on confidentiality, integrity, and availability. No privileges are required, making it accessible to any unauthenticated remote actor.
Advisories and details are documented in references including a GitHub issue at https://github.com/ubfbuz3/cve/issues/7 and VulDB entries at https://vuldb.com/?ctiid.298821, https://vuldb.com/?id.298821, and https://vuldb.com/?submit.514758. The exploit has been publicly disclosed and may be actively used. No specific patch or mitigation steps are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing /editAgent.php enables exploitation of public-facing application (T1190) and data collection from backend databases via arbitrary queries (T1213.006).