Prison Management System
CVE-2025-14589
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in code-projects Prison Management System 2.0. This issue affects some unknown processing of the file /admin/search.php. Executing a manipulation of the argument keyname can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
SQL injection in code-projects Prison Management System 2.0 allows authenticated remote attackers to execute arbitrary SQL commands via the keyname parameter in /admin/search.php, with publicly available exploit code but limited real-world impact due to authentication requirement and restricted scope (confidentiality only, CVSS 2.1).
Technical ContextAI
The vulnerability exists in the PHP-based Prison Management System administrative search functionality. The /admin/search.php endpoint fails to properly sanitize user-supplied input in the keyname parameter before incorporating it into SQL queries, violating CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). This classic SQL injection flaw allows manipulation of query logic through unescaped string concatenation or improper parameterized query implementation. The vulnerability requires authenticated access (PR:L in CVSS vector), meaning an attacker must already possess valid login credentials to the administrative panel.
RemediationAI
Upgrade to a patched version if available from code-projects; however, no fixed version has been publicly confirmed in available advisory data. As an interim measure, implement input validation and parameterized queries in /admin/search.php to properly escape or bind the keyname parameter before SQL execution - consult the code-projects security advisory or patch release for exact remediation steps. Additionally, restrict administrative access through network-level controls (limit admin panel access to trusted IP ranges), enforce strong authentication (unique, complex passwords; multi-factor authentication if supported), and apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in keyname parameter submissions. Monitor /admin/search.php access logs for suspicious query patterns. Note that WAF mitigation may result in false positives and slow legitimate administrative searches if rules are overly broad.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today