CVE-2025-25222
Published: 18 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25222 is an SQL injection vulnerability (CWE-89) affecting the LuxCal Web Calendar application in versions prior to 5.3.3M for the MySQL variant and prior to 5.3.3L for the SQLite variant. The flaw resides in the retrieve.php component, which fails to properly sanitize user inputs, enabling malicious SQL queries. It carries a CVSS v3.1 base score of 9.8 (Critical), reflecting network accessibility, low attack complexity, no required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this vulnerability by sending crafted requests to retrieve.php, potentially executing arbitrary SQL commands. Successful exploitation allows the attacker to retrieve sensitive database information, alter records, or delete data, compromising the entire backend database of affected LuxCal instances.
Advisories from JVN (JVN#26024080) and the official LuxSoft resources detail mitigation through upgrading to LuxCal 5.3.3M (MySQL) or 5.3.3L (SQLite), available via the project download page and discussed in the LuxCal forum. Administrators should review these references for patch deployment and verify configurations to prevent exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection in the public-facing retrieve.php web component allows remote unauthenticated exploitation via crafted requests, directly mapping to T1190 Exploit Public-Facing Application. Resulting DB access enables data retrieval/modification/deletion but the core exploitation technique is T1190.