CVE-2025-2846
Published: 27 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2846 is a critical SQL injection vulnerability in SourceCodester Online Eyewear Shop 1.0, affecting the registration function within the file /oews/classes/Users.php?f=registration of the Registration component. The issue arises from manipulation of the ID argument, classified under CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). It was published on 2025-03-27.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling data extraction, modification, or disruption through SQL injection.
Advisories from VulDB (ctiid.301492, id.301492, submit.522326) document the issue, and a proof-of-concept exploit is publicly available on GitHub at jeajeaa/cve/blob/main/sql.md. The vendor site at sourcecodester.com provides context on the affected software, but no specific patches are detailed in the provided references.
The exploit has been disclosed to the public and may be used, increasing the risk for unpatched Online Eyewear Shop 1.0 deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application registration endpoint (Users.php?f=registration) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505), and data collection from databases (T1213.006).