CVE-2025-2985
Published: 31 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2985 is a critical SQL injection vulnerability in code-projects Payroll Management System 1.0, affecting an unknown part of the file update_account.php. The issue arises from manipulation of the 'deduction' argument, with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection) as associated weaknesses. Published on 2025-03-31, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating network-accessible exploitation with low complexity and privileges required.
An attacker with low privileges, such as an authenticated user, can exploit this remotely by injecting malicious SQL via the 'deduction' parameter during account updates. Successful exploitation enables limited impacts: low confidentiality (e.g., partial data disclosure), integrity (e.g., minor data modification), and availability (e.g., limited denial of service). Other parameters may also be vulnerable, broadening potential attack surface.
Advisories referenced in VulDB entries (e.g., ctiid.302037, id.302037) and related disclosures on GitHub and code-projects.org detail the issue but do not specify patches or vendor mitigations in available information. Security practitioners should review these sources for updates.
The exploit has been publicly disclosed and may be actively used, increasing risk for exposed instances of Payroll Management System 1.0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (update_account.php) enables exploitation of public-facing app (T1190), abuse of server software component for SQL execution (T1505 as cited in advisory), and data collection from databases (T1213.006).