CVE-2025-5711

| EUVD-2025-17041 HIGH
2025-06-06 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17041
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
PoC Detected
Oct 23, 2025 - 20:06 vuln.today
Public exploit code
CVE Published
Jun 06, 2025 - 03:15 nvd
HIGH 7.3

Tags

PHP SQLi Real Estate Property Management System

Description

A vulnerability, which was classified as critical, was found in code-projects Real Estate Property Management System 1.0. Affected is an unknown function of the file /Admin/InsertCity.php. The manipulation of the argument cmbState leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical SQL injection vulnerability in code-projects Real Estate Property Management System 1.0, specifically in the /Admin/InsertCity.php file's cmbState parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.

Technical Context

This vulnerability stems from improper input validation and parameterization in PHP code handling database queries (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The affected file /Admin/InsertCity.php processes the cmbState parameter without proper SQL escaping or prepared statements, allowing SQL metacharacters to be injected directly into database queries. The Real Estate Property Management System is a web-based application that likely uses PHP with a backend database (MySQL/MariaDB), and the vulnerable endpoint is accessible to unauthenticated users based on the CVSS vector indicating no privilege requirements (PR:N).

Affected Products

code-projects Real Estate Property Management System version 1.0. Specific vulnerable component: /Admin/InsertCity.php file. No CPE string was provided in the source data, but the affected product would likely be identified as: cpe:2.3:a:code-projects:real_estate_property_management_system:1.0:*:*:*:*:*:*:*. The vulnerability affects any installation of this version, particularly those exposed to untrusted networks or the public internet.

Remediation

Immediate remediation steps: (1) Update to a patched version if available from code-projects; (2) Apply input validation: implement whitelist validation for cmbState parameter to accept only valid state identifiers; (3) Use prepared statements/parameterized queries for all database interactions in InsertCity.php; (4) Implement output encoding for database queries; (5) Apply principle of least privilege to database credentials used by the application. Workarounds if patch unavailable: (a) Disable or restrict access to /Admin/InsertCity.php at the web server level (nginx/Apache); (b) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the cmbState parameter; (c) Apply strict input validation regex patterns before query execution. Recommended: Contact code-projects for security updates or migrate to maintained alternatives.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-5711 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy