CVE-2025-2392
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2392 is a critical SQL injection vulnerability in the code-projects Online Class and Exam Scheduling System version 1.0. The flaw resides in the processing of the /pages/activate.php file, where manipulation of the 'id' argument enables SQL injection. Associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-17.
The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H), requiring low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling unauthorized data access, modification, or disruption within the affected application's database.
Advisories from VulDB (ctiid.299891, id.299891, submit.516912) document the issue, while a proof-of-concept exploit is publicly available on GitHub at intercpt/XSS1/blob/main/SQL11.md, and the software source is hosted at code-projects.org. No specific patches or mitigations are detailed in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing /pages/activate.php endpoint enables remote exploitation of a public-facing web application (T1190) and arbitrary SQL query execution for collecting data from databases (T1213.006).