EUVD-2025-16860
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability was found in CodeAstro Real Estate Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php. The manipulation of the argument User leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
Critical SQL injection vulnerability in CodeAstro Real Estate Management System version 1.0 affecting the /admin/index.php file, where the 'User' parameter is improperly validated before database queries. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. Public disclosure of this vulnerability significantly increases exploitation risk, and active exploitation should be anticipated.
Technical Context
The vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component—'Injection'), specifically manifesting as SQL injection in the authentication or user processing logic of /admin/index.php. The affected product is CodeAstro Real Estate Management System version 1.0, which appears to be a PHP-based web application managing property listings and transactions. The root cause is insufficient input sanitization on the 'User' parameter before it is incorporated into SQL queries. No parameterized queries or prepared statements appear to be implemented for this input vector. CPE for affected product: cpe:2.3:a:codeastro:real_estate_management_system:1.0:*:*:*:*:*:*:*
Affected Products
- product: CodeAstro Real Estate Management System; version: 1.0; affected_component: /admin/index.php; vulnerable_parameter: User; attack_vector: SQL Injection; cpe: cpe:2.3:a:codeastro:real_estate_management_system:1.0:*:*:*:*:*:*:*
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today