CVE-2025-2391
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2391 is a critical SQL injection vulnerability (CWE-74, CWE-89) discovered in code-projects Blood Bank Management System 1.0. It affects unknown code within the file /admin/admin_login.php of the Admin Login Page component. The issue allows manipulation leading to SQL injection and carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-03-17T20:15:14.443.
Remote attackers can exploit this vulnerability without requiring authentication, user interaction, or high complexity. Exploitation enables SQL injection attacks, potentially compromising confidentiality, integrity, and availability to a low degree, depending on the backend database configuration.
Reference advisories, including VulDB entries (vuldb.com/?ctiid.299890, vuldb.com/?id.299890, vuldb.com/?submit.516910) and a GitHub disclosure (github.com/intercpt/XSS1/blob/main/SQL10.md), confirm the exploit has been publicly released and may be used in attacks. The project site (code-projects.org) provides context on the affected software, but no specific patches or mitigations are detailed in the available information.
The exploit disclosure heightens the risk for deployments of Blood Bank Management System 1.0, urging practitioners to review and isolate exposed admin login endpoints.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing admin login page (no auth required) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505), and collection of data from databases (T1213.006) via arbitrary SQL queries.