EUVD-2025-17038Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Real Estate Property Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /Admin/Property.php. The manipulation of the argument cmbCat leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/Property.php file where the 'cmbCat' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the property management database. The exploit has been publicly disclosed with proof-of-concept code available, significantly elevating real-world exploitation risk.
Technical ContextAI
This vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), manifesting as a classical SQL injection flaw. The Real Estate Property Management System processes user input from the 'cmbCat' parameter without proper parameterized queries, input validation, or output encoding before passing it to SQL database operations. The affected component is the /Admin/Property.php administrative interface, which typically handles property categorization operations. The vulnerability exists because the application fails to use prepared statements or bind parameters when constructing SQL queries, allowing attackers to inject malicious SQL syntax through the category selection parameter. This is a server-side vulnerability affecting the backend database layer of a PHP-based web application.
RemediationAI
Immediate remediation steps: (1) Upgrade to a patched version if available from code-projects; verify with vendor whether version 2.0+ contains fixes for CVE-2025-5705. (2) If upgrade is unavailable, implement immediate compensating controls: restrict /Admin/ directory access to trusted IPs only via firewall or web server configuration (allow-list); implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the cmbCat parameter. (3) Apply input validation: implement strict whitelist validation for the cmbCat parameter to accept only expected category IDs (numeric or predefined strings). (4) Code-level fix if internal resources available: replace all SQL query constructions in Property.php with parameterized prepared statements using either mysqli_prepare() or PDO prepared statements, ensuring all user input is bound as data, not code. (5) Conduct immediate database audit to detect any unauthorized access or data modification since deployment. (6) Monitor database logs for suspicious query patterns indicative of exploitation attempts.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today