Computer Laboratory System
CVE-2025-60307
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated login bypass via the Password field gives low-complexity full data access (C:H/I:H); availability impact is not evidenced by a pure auth bypass, so A:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
code-projects Computer Laboratory System 1.0 has a SQL injection vulnerability, where entering a universal password in the Password field on the login page can bypass login attempts.
AnalysisAI
Authentication bypass via SQL injection in code-projects Computer Laboratory System 1.0 allows a remote unauthenticated attacker to log in as a valid user by submitting a crafted 'universal password' in the login form's Password field. The injected SQL manipulates the login query so the authentication check always evaluates true, granting access without valid credentials. Publicly available exploit code exists (PoC published on GitHub), though the low EPSS score (0.42%, 34th percentile) and absence from CISA KEV indicate no confirmed active exploitation at time of analysis.
Technical ContextAI
The affected software is code-projects 'Computer Laboratory System' version 1.0 (CPE cpe:2.3:a:carmelo:computer_laboratory_system:1.0), a small PHP/MySQL web application of the kind distributed as free source-code demos. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input from the Password field is concatenated directly into a SQL query rather than passed as a parameterized value. A classic tautology-based injection (e.g. a payload closing the string and appending an always-true OR condition, or a comment sequence to truncate the query) causes the WHERE clause of the authentication SELECT to match a row regardless of the actual stored password, producing the 'universal password' login bypass described.
RemediationAI
No vendor-released patch identified at time of analysis, as this is a source-code demo project without a formal advisory. The primary compensating control is at the code level: replace the vulnerable login query with parameterized/prepared statements (PDO or mysqli bound parameters) so the Password field can never alter query structure, and add server-side input validation. As immediate operational mitigations, restrict network access to the application (place it behind a VPN or IP allowlist rather than exposing the login page to the internet), and deploy a WAF rule to block common SQL metacharacters and tautology patterns on the login endpoint - noting this may cause false positives on legitimate passwords containing quotes or comment sequences. Given the product's demo nature, the most defensible option is to retire it from any production or internet-facing use. Refer to the PoC at https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60307.md to build detection signatures for the specific payload.
More in Computer Laboratory System
View allcode-projects Computer Laboratory System 1.0 has a file upload vulnerability. Rated high severity (CVSS 7.3), this vulne
Unrestricted file upload in Computer Laboratory System 1.0 via the technical_staff_pic.php file allows high-privilege us
Unrestricted file upload in Computer Laboratory System 1.0 via the admin_pic.php image parameter allows high-privilege a
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today