CVE-2025-2659
Published: 23 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2659 is a critical SQL injection vulnerability affecting Project Worlds Online Time Table Generator version 1.0. The flaw exists in an unknown part of the file /student/index.php, where manipulation of the argument "e" enables the injection. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit the vulnerability. By crafting malicious input for the "e" parameter, they can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality (e.g., data disclosure), integrity (e.g., data modification), and availability (e.g., denial of service).
Advisories referenced in VulDB entries (ctiid.300675, id.300675, submit.520482) and a GitHub issue (ydnd/cve/issues/7) confirm the vulnerability details and note that the exploit has been publicly disclosed, making it available for potential use by attackers. No patches or specific mitigations are mentioned in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the unauthenticated /student/index.php endpoint of the public-facing web application enables exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases (T1213.006) via injected SQL queries, as demonstrated by sqlmap extraction of database information.