Skip to main content

Computer Laboratory System CVE-2025-60307

CRITICAL
SQL Injection (CWE-89)
2025-10-10 cve@mitre.org
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Remote unauthenticated login bypass via the Password field gives low-complexity full data access (C:H/I:H); availability impact is not evidenced by a pure auth bypass, so A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:50 vuln.today

DescriptionCVE.org

code-projects Computer Laboratory System 1.0 has a SQL injection vulnerability, where entering a universal password in the Password field on the login page can bypass login attempts.

AnalysisAI

Authentication bypass via SQL injection in code-projects Computer Laboratory System 1.0 allows a remote unauthenticated attacker to log in as a valid user by submitting a crafted 'universal password' in the login form's Password field. The injected SQL manipulates the login query so the authentication check always evaluates true, granting access without valid credentials. Publicly available exploit code exists (PoC published on GitHub), though the low EPSS score (0.42%, 34th percentile) and absence from CISA KEV indicate no confirmed active exploitation at time of analysis.

Technical ContextAI

The affected software is code-projects 'Computer Laboratory System' version 1.0 (CPE cpe:2.3:a:carmelo:computer_laboratory_system:1.0), a small PHP/MySQL web application of the kind distributed as free source-code demos. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input from the Password field is concatenated directly into a SQL query rather than passed as a parameterized value. A classic tautology-based injection (e.g. a payload closing the string and appending an always-true OR condition, or a comment sequence to truncate the query) causes the WHERE clause of the authentication SELECT to match a row regardless of the actual stored password, producing the 'universal password' login bypass described.

RemediationAI

No vendor-released patch identified at time of analysis, as this is a source-code demo project without a formal advisory. The primary compensating control is at the code level: replace the vulnerable login query with parameterized/prepared statements (PDO or mysqli bound parameters) so the Password field can never alter query structure, and add server-side input validation. As immediate operational mitigations, restrict network access to the application (place it behind a VPN or IP allowlist rather than exposing the login page to the internet), and deploy a WAF rule to block common SQL metacharacters and tautology patterns on the login endpoint - noting this may cause false positives on legitimate passwords containing quotes or comment sequences. Given the product's demo nature, the most defensible option is to retire it from any production or internet-facing use. Refer to the PoC at https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60307.md to build detection signatures for the specific payload.

Share

CVE-2025-60307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy