CVE-2025-3039
Published: 31 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-3039 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Payroll Management System 1.0. The flaw affects an unknown function within the file /add_employee.php, where manipulation of the lname and fname arguments enables the injection. Other parameters may also be vulnerable. Published on 2025-03-31, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability with low complexity and no user interaction required. Exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized access, modification, or disruption of database operations via SQL injection.
Advisories and details are documented on VulDB (ctiid.302100, id.302100, submit.524676), the project site at code-projects.org, and a GitHub repository at xuzhuojia22/cve. The exploit has been publicly disclosed and may be used by attackers.
The vulnerability's public exploit disclosure increases the risk of real-world exploitation in unpatched instances of Payroll Management System 1.0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/add_employee.php) enables exploitation of public-facing applications (T1190) and abuse of server software components (T1505) for unauthorized database access.