CVE-2025-2384
Published: 17 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2384 is a critical SQL injection vulnerability in code-projects Real Estate Property Management System 1.0, affecting an unknown part of the file /InsertCustomer.php within the Parameter Handler component. The issue arises from improper handling of the arguments txtName, txtAddress, cmbCity, txtEmail, cmbGender, txtBirthDate, txtUserName2, and txtPassword2, allowing manipulation that leads to SQL injection. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It was published on 2025-03-17.
A remote attacker with low privileges can exploit this vulnerability by manipulating the specified parameters during interactions with the affected endpoint. Successful exploitation enables SQL injection attacks, potentially resulting in low-level impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the application's database.
Advisories referenced in VulDB entries (ctiid.299883, id.299883, submit.516282) and related sources like code-projects.org and a GitHub repository document the vulnerability details, noting that the exploit has been publicly disclosed and may be used by attackers. No specific patches or mitigation steps are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (/InsertCustomer.php) enables initial access via exploitation of public-facing applications (T1190), arbitrary database queries for data collection (T1213.006), and abuse of server software components as mapped in advisory (T1505).