CVE-2025-2831
Published: 27 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2831 is a critical SQL injection vulnerability in the mingyuefusu 明月复苏 tushuguanlixitong 图书管理系统, affecting versions up to commit d4836fusu d4836f6b49cd0ac79a4021b15ce99ff7229d4694. The flaw impacts the getBookList function in the /admin/bookList?page=1&limit=10 endpoint, where manipulation of the 'condition' argument triggers the injection.
The vulnerability enables remote exploitation by low-privileged users (PR:L), with low attack complexity (AC:L) and no need for user interaction (UI:N). Attackers can achieve limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It maps to CWEs 74 (Improper Neutralization of Special Elements) and 89 (SQL Injection).
Advisories on VulDB (vuldb.com/?ctiid.301468, vuldb.com/?id.301468, vuldb.com/?submit.521458) and Gitee issues for the repository (gitee.com/mingyuefusu/tushuguanlixitong/issues/IBTSJL) provide further details on the issue.
The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in web app endpoint (/admin/bookList) directly enables remote exploitation of public-facing application (T1190).