Rental Management System
CVE-2025-14531
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Rental Management System 2.0. This affects an unknown function of the file Transaction.java of the component Log Handler. Performing manipulation results in crlf injection. The attack can be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
CRLF injection in code-projects Rental Management System 2.0 allows authenticated remote attackers to manipulate log entries via the Log Handler component in Transaction.java, enabling log tampering with minimal real-world impact. The vulnerability requires prior authentication (PR:L), has low integrity impact, and carries a very low EPSS score (0.07%) despite public exploit availability, suggesting exploitation is limited to specific threat scenarios.
Technical ContextAI
CRLF (carriage return/line feed) injection is a CWE-74 code injection vulnerability affecting the Log Handler component within Transaction.java of the Rental Management System. The flaw allows injection of CR/LF sequences into log output, typically enabling log manipulation, log forgery, or bypass of log-based security controls. This is a Java application vulnerability classified as a code injection issue where unsanitized user input reaches logging functions, allowing attackers to insert newline characters that break log record boundaries and inject arbitrary log entries.
RemediationAI
Upgrade to a patched version of Rental Management System if available from the vendor at https://code-projects.org/. No specific patch version number is provided in available sources. As an interim compensating control, implement input validation and sanitization in the Log Handler to reject or escape CR/LF characters (0x0D, 0x0A) before they reach logging functions. Restrict application access to trusted users only by enforcing strong authentication and auditing account grants, limiting the pool of potential attackers. Monitor log files for suspicious patterns such as multiple consecutive newlines or unexpected log entries, which may indicate injection attempts. These controls address the attack surface but do not eliminate the underlying flaw and should not delay patching.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today