itsourcecode Insurance Management System CVE-2025-7904
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, was found in itsourcecode Insurance Management System 1.0. This affects an unknown part of the file /insertNominee.php. The manipulation of the argument nominee_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in itsourcecode Insurance Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the nominee_id parameter in /insertNominee.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists, though EPSS scoring (0.09th percentile) suggests minimal real-world exploitation likelihood despite the critical classification and public disclosure.
Technical ContextAI
The vulnerability exists in a PHP-based insurance management application where user input from the nominee_id parameter is passed directly into SQL queries without proper sanitization or parameterized statement use. CWE-74 (Improper Neutralization of Special Elements in Output) indicates the root cause involves insufficient escaping or validation of SQL metacharacters before database query execution. The vulnerability affects version 1.0 of the application developed by Angel Jude Suarez, as identified by CPE cpe:2.3:a:angeljudesuarez:insurance_management_system:1.0:*:*:*:*:*:*:*. The attack surface is the /insertNominee.php endpoint, which processes nominee data insertion operations.
RemediationAI
Upgrade to a patched version if available from itsourcecode.com; however, no specific patched version number has been publicly disclosed in available sources. Immediate mitigation: implement parameterized prepared statements for all database queries, particularly in /insertNominee.php, replacing concatenated SQL with bound parameters to neutralize SQL injection payloads. Additionally, apply input validation to the nominee_id parameter (whitelist numeric-only values if IDs are numeric, implement length restrictions, and reject special SQL characters). Enforce principle of least privilege on the database account used by the application - restrict the PHP application's database user to execute only INSERT and SELECT operations on the nominee table, preventing DROP TABLE or UNION-based attacks. Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the nominee_id parameter (e.g., blocking single quotes, double dashes, semicolons when not expected). The authentication requirement (PR:L) means compromised or malicious insider accounts present the primary risk; monitor database query logs for anomalous SQL patterns and implement database activity monitoring (DAM) to detect injection attempts. Contact itsourcecode.com directly for security patch availability and guidance.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today