EUVD-2025-17039Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability classified as critical has been found in code-projects Real Estate Property Management System 1.0. This affects an unknown part of the file /Admin/NewsReport.php. The manipulation of the argument txtFrom leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/NewsReport.php file where the 'txtFrom' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.
Technical ContextAI
This vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), a broad category encompassing SQL injection flaws. The Real Estate Property Management System (CPE: likely cpe:2.3:a:code-projects:real_estate_property_management_system:1.0:*:*:*:*:*:*:*) contains unvalidated user input in the txtFrom parameter passed to /Admin/NewsReport.php. The application fails to properly escape, parameterize, or validate SQL query inputs before executing database operations. This is a classic SQL injection vulnerability where attackers craft malicious SQL payloads within the txtFrom field to break out of intended query context and execute unauthorized database commands.
RemediationAI
Immediate Actions: (1) PATCH: Upgrade to a patched version if available from code-projects (version information not provided in sources—contact vendor directly for patch release); (2) INPUT VALIDATION: Implement strict whitelist validation for the txtFrom parameter—validate expected format, length, and character set before use; (3) PARAMETERIZED QUERIES: Refactor /Admin/NewsReport.php to use parameterized/prepared statements for all SQL queries, eliminating SQL injection risk; (4) TEMPORARY MITIGATION: Implement Web Application Firewall (WAF) rules to block SQL injection patterns in txtFrom parameter (e.g., detect 'OR', 'UNION', comment sequences); (5) ACCESS CONTROL: Restrict /Admin/ directory to known IP ranges and require additional authentication if possible; (6) MONITORING: Enable SQL query logging and audit logs to detect exploitation attempts. Contact code-projects support for official patch information and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today