itsourcecode Insurance Management System CVE-2025-8135
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, has been found in itsourcecode Insurance Management System 1.0. This issue affects some unknown processing of the file /updateAgent.php. The manipulation of the argument agent_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in itsourcecode Insurance Management System 1.0 allows authenticated remote attackers to manipulate the agent_id parameter in /updateAgent.php, enabling unauthorized database queries with limited confidentiality and integrity impact. Despite critical classification in metadata, the CVSS 4.0 vector shows low severity (2.1 score) due to requirement for prior authentication and restricted scope. Public exploit code is available, though EPSS score of 0.06% (20th percentile) suggests minimal real-world exploitation likelihood.
Technical ContextAI
The vulnerability resides in the /updateAgent.php file of a PHP-based insurance management web application. The application fails to properly sanitize or parameterize user-supplied input in the agent_id parameter before incorporating it into SQL queries. This is a direct instance of improper input neutralization (CWE-74), where untrusted data bypasses SQL command syntax validation. The affected product is identified by CPE cpe:2.3:a:angeljudesuarez:insurance_management_system:1.0:*:*:*:*:*:*:* indicating the commercial version 1.0 from itsourcecode. Unlike classic SQL injection vulnerabilities that allow remote code execution or complete database compromise, this instance is constrained by CVSS4.0 modifiers indicating limited confidentiality and integrity impact within the application's scope.
RemediationAI
Upgrade to a patched version of itsourcecode Insurance Management System if available from the vendor at itsourcecode.com. If no vendor-released patch is available, implement input validation and parameterized queries (prepared statements) in the /updateAgent.php file to sanitize the agent_id parameter before SQL execution. Restrict authentication access to /updateAgent.php through role-based access control, ensuring only authorized administrators can invoke agent update functions. Apply Web Application Firewall (WAF) rules to block SQL injection patterns in the agent_id parameter (trade-off: may cause false positives if legitimate agent IDs contain special characters). Monitor application logs for SQL error messages or unusual query patterns indicating exploitation attempts. Conduct a source code audit to identify similar SQL injection patterns in other PHP files within the application. Consult vuldb.com/?ctiid.317531 and vuldb.com/?id.317531 for community-contributed mitigation guidance.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today