CVE-2025-2419
Published: 17 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2419 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Real Estate Property Management System 1.0. The flaw resides in an unknown function within the file /InsertFeedback.php, where manipulation of the arguments txtName, txtEmail, txtMobile, and txtFeedback enables SQL injection. Published on 2025-03-17, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by an authenticated attacker with low privileges. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling unauthorized data access, modification, or disruption depending on the database backend.
Advisories and further details are documented on VulDB (ctiid.299916, id.299916, submit.516999), a GitHub repository at heiheiworld/cve, and the vendor site at code-projects.org. The exploit has been publicly disclosed and may be used by attackers. No specific patches or mitigations are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/InsertFeedback.php) enables initial access through exploitation of public-facing applications (T1190), collection of data from databases via arbitrary SQL queries (T1213.006), and abuse of server software components (T1505, as cited in VulDB).