CVE-2025-5708

| EUVD-2025-17039 HIGH
2025-06-06 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17039
PoC Detected
Oct 23, 2025 - 20:06 vuln.today
Public exploit code
CVE Published
Jun 06, 2025 - 01:15 nvd
HIGH 7.3

Tags

PHP SQLi Remote Code Execution Real Estate Property Management System

Description

A vulnerability classified as critical has been found in code-projects Real Estate Property Management System 1.0. This affects an unknown part of the file /Admin/NewsReport.php. The manipulation of the argument txtFrom leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/NewsReport.php file where the 'txtFrom' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

Technical Context

This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), a broad category encompassing SQL injection flaws. The Real Estate Property Management System (CPE: likely cpe:2.3:a:code-projects:real_estate_property_management_system:1.0:*:*:*:*:*:*:*) contains unvalidated user input in the txtFrom parameter passed to /Admin/NewsReport.php. The application fails to properly escape, parameterize, or validate SQL query inputs before executing database operations. This is a classic SQL injection vulnerability where attackers craft malicious SQL payloads within the txtFrom field to break out of intended query context and execute unauthorized database commands.

Affected Products

Affected Product: code-projects Real Estate Property Management System, Version: 1.0, Component: /Admin/NewsReport.php (parameter: txtFrom). CPE estimate: cpe:2.3:a:code-projects:real_estate_property_management_system:1.0:*:*:*:*:*:*:*. No patched version information is available in the provided data. The vulnerability affects any deployed instance of this exact version without compensating controls.

Remediation

Immediate Actions: (1) PATCH: Upgrade to a patched version if available from code-projects (version information not provided in sources—contact vendor directly for patch release); (2) INPUT VALIDATION: Implement strict whitelist validation for the txtFrom parameter—validate expected format, length, and character set before use; (3) PARAMETERIZED QUERIES: Refactor /Admin/NewsReport.php to use parameterized/prepared statements for all SQL queries, eliminating SQL injection risk; (4) TEMPORARY MITIGATION: Implement Web Application Firewall (WAF) rules to block SQL injection patterns in txtFrom parameter (e.g., detect 'OR', 'UNION', comment sequences); (5) ACCESS CONTROL: Restrict /Admin/ directory to known IP ranges and require additional authentication if possible; (6) MONITORING: Enable SQL query logging and audit logs to detect exploitation attempts. Contact code-projects support for official patch information and timeline.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-5708 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy