Best House Rental Management System
CVE-2025-12226
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in SourceCodester Best House Rental Management System 1.0. Impacted is the function save_house of the file /admin_class.php. Performing manipulation of the argument house_no results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
AnalysisAI
SQL injection in SourceCodester Best House Rental Management System 1.0 allows high-privilege remote attackers to manipulate the house_no parameter in the save_house function of /admin_class.php, achieving limited confidentiality and integrity impact. Publicly available exploit code exists but exploitation requires administrative credentials (PR:H), significantly restricting real-world attack surface despite the CVSS 4.0 network vector.
Technical ContextAI
The vulnerability exists in PHP-based web application logic where user-supplied input (house_no parameter) is insufficiently sanitized before being incorporated into SQL queries within the save_house function. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates the application fails to properly escape or parameterize SQL inputs, allowing attackers with admin access to inject arbitrary SQL commands. The affected product is identified via CPE as mayurik/best_house_rental_management_system version 1.0, a lightweight PHP rental management application lacking parameterized query protections.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate remediation requires upgrading to a patched version if available from SourceCodester, or applying parameterized query fixes to the save_house function in /admin_class.php to eliminate SQL injection. Temporary compensating controls include: (1) Restrict admin panel access (/admin_class.php and related endpoints) to specific IP ranges or VPN, reducing exposure of the high-privilege requirement; (2) Implement Web Application Firewall (WAF) rules blocking SQL metacharacters in house_no parameter values (single quotes, semicolons, SQL keywords); (3) Monitor admin account login logs for unauthorized access; (4) Enforce strong, unique admin passwords and disable default credentials. Contact SourceCodester via https://www.sourcecodester.com/ for patch availability and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today