CVE-2025-2660
Published: 23 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-2660 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting Project Worlds Online Time Table Generator version 1.0. The flaw exists in unknown code within the file /admin/index.php, where manipulation of the "e" argument enables the injection. It was published on 2025-03-23 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers with network access and low attack complexity, requiring no user interaction. Successful exploitation leads to SQL injection, resulting in low impacts to confidentiality, integrity, and availability.
Advisories and further details are documented in references including https://github.com/ydnd/cve/issues/8, https://vuldb.com/?ctiid.300676, https://vuldb.com/?id.300676, and https://vuldb.com/?submit.520483.
The exploit has been disclosed publicly and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated /admin/index.php enables exploitation of public-facing web application (T1190), data collection from databases (T1213.006), and stored data manipulation (T1565.001).