CVE-2025-25876
Published: 21 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-25876 is a SQL injection vulnerability (CWE-89) discovered in ITSourcecode Simple ChatBox versions up to 1.0. The issue resides in unknown code within the /delete.php file, enabling attackers to obtain sensitive data through malicious SQL queries.
The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no user interaction required, but necessitates high privileges (PR:H) such as authenticated administrative access. Attackers with sufficient permissions can achieve high impacts across confidentiality, integrity, and availability, potentially extracting sensitive data, modifying database contents, or disrupting services.
A proof-of-concept exploit is documented in the reference at https://github.com/SticKManII/cve-poc/blob/main/chat-box/2/poc.md. No vendor advisories, patches, or specific mitigation guidance are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/delete.php) enables exploitation of public-facing application (T1190) and collection of sensitive data from databases (T1213.006).