Simple Banking System
CVE-2025-11358
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in code-projects Simple Banking System 1.0. Impacted is an unknown function of the file /removeuser.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
SQL injection in Simple Banking System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /removeuser.php, leading to unauthorized database queries with limited information disclosure impact. The CVSS score of 2.1 reflects restricted exploitation scope (authenticated access required, PR:L), but publicly available exploit code exists, warranting patched deployment if still in use.
Technical ContextAI
Simple Banking System 1.0, a PHP-based web application (per CPE cpe:2.3:a:codeastro:simple_banking_system:1.0), contains improper input validation in the /removeuser.php endpoint. The vulnerability falls under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), a class that encompasses SQL injection when user-controlled input reaches database queries without sanitization. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning no special network conditions are required, but exploitation mandates prior authentication (PR:L). The affected file processes an 'ID' parameter that is passed directly or indirectly into SQL statements without parameterized queries or prepared statements.
RemediationAI
Immediate remediation requires upgrading Simple Banking System to a patched version beyond 1.0 if available from codeastro/code-projects.org. No specific patched version number is confirmed in provided data - contact the vendor or check code-projects.org for an updated release. As an interim compensating control, restrict network access to the /removeuser.php endpoint via web application firewall (WAF) or reverse proxy rules, blocking POST/GET requests to that path and logging attempts. Implement parameterized queries (prepared statements) in the /removeuser.php handler - replace string concatenation of the ID parameter with bound variable placeholders (e.g., PDO prepared statements in PHP with placeholders). Apply strict input validation: enforce ID to be a positive integer only, rejecting any non-numeric characters before database processing. Test changes against the public POC at https://github.com/QuJun1/cve/issues/2 to confirm SQL injection is mitigated. If upgrading is not feasible, disable or remove the removeuser functionality entirely if not critical to operations.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today