CVE-2025-2672

CVE-2025-2672 is a SQL injection vulnerability in code-projects Payroll Management System 1.0, affecting unknown processing in the /add_deductions.php file. The issue stems from manipulation of the "bir" argument, with other parameters potentially affected as well. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it maps to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability was published on 2025-03-23T23:15:13.847.

A remote attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables SQL injection, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged scope (S:U).

Advisories referenced on VulDB (e.g., https://vuldb.com/?ctiid.300689, https://vuldb.com/?id.300689) and a GitHub disclosure (https://github.com/FoLaJJ/cve/blob/main/sqlcve.md) detail the issue, along with the project site (https://code-projects.org/). The exploit has been publicly disclosed and may be used, with no specific patches or mitigations mentioned in the available descriptions.