EUVD-2025-16982

| CVE-2025-5650 HIGH
2025-06-05 [email protected]
PHP SQLi Online Notice Board
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:53 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:53 euvd
EUVD-2025-16982
PoC Detected
Jun 10, 2025 - 15:05 vuln.today
Public exploit code
CVE Published
Jun 05, 2025 - 10:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability classified as critical was found in 1000projects Online Notice Board 1.0. This vulnerability affects unknown code of the file /register.php. The manipulation of the argument fname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

AnalysisAI

Critical SQL injection vulnerability in 1000projects Online Notice Board version 1.0 affecting the /register.php file's fname parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially exfiltrate or modify database contents. The vulnerability has been publicly disclosed with exploit code availability, creating immediate risk for deployed instances. With a CVSS score of 7.3 and network-accessible attack vector requiring no authentication, this poses significant risk to organizations using this software, though CVSS does not reflect the severity as 'critical' (which typically requires CVSS ≥9.0).

Technical ContextAI

The vulnerability stems from improper input validation and parameterization in PHP application code, specifically CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The /register.php file fails to sanitize or use prepared statements for the fname parameter before incorporating it into SQL queries. This classic SQL injection flaw allows attackers to break out of intended SQL context by injecting metacharacters (quotes, semicolons, SQL keywords) to execute arbitrary database commands. The affected product is 1000projects Online Notice Board 1.0 (CPE likely: cpe:2.3:a:1000projects:online_notice_board:1.0). The vulnerability exists in the user registration functionality, a common attack surface in web applications, and may affect related parameters beyond fname as indicated in the advisory.

RemediationAI

Contact 1000projects for security patch or upgrade. Check vendor website/advisory for patched version (likely 1.1 or higher) - availability status unknown based on CVE publication date.; priority: CRITICAL Immediate Workaround: Implement Web Application Firewall (WAF) rules to block SQL injection patterns in /register.php (detect quotes, semicolons, SQL keywords in fname parameter); block registration endpoint at network perimeter if not immediately needed; priority: HIGH Code-Level Mitigation: If patch unavailable: (1) Replace all SQL concatenation with prepared statements/parameterized queries in /register.php; (2) Implement strict input validation: allowlist fname to alphanumeric + spaces only; (3) Apply least privilege to database user credentials used by application; priority: HIGH Detection & Monitoring: Enable SQL error logging; monitor for unusual database queries from application; implement IDS/IPS signatures for SQL injection attempts; review recent database logs for signs of exploitation; priority: MEDIUM Long-term: Upgrade to patched version when available; conduct full code audit of all user input handling in application; implement secure development training for team; consider replacing unmaintained software with actively supported alternatives; priority: MEDIUM

Share

EUVD-2025-16982 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy