EUVD-2025-17035

| CVE-2025-5704 HIGH
2025-06-05 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:53 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:53 euvd
EUVD-2025-17035
PoC Detected
Oct 23, 2025 - 20:06 vuln.today
Public exploit code
CVE Published
Jun 05, 2025 - 23:15 nvd
HIGH 7.3

Tags

PHP SQLi Real Estate Property Management System

Description

A vulnerability was found in code-projects Real Estate Property Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /Admin/User.php. The manipulation of the argument txtUserName leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/User.php file's txtUserName parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. Public exploit disclosure and active exploitation risk make this a high-priority remediation target.

Technical Context

The vulnerability exists in PHP-based web application code handling user authentication and management. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output, also known as insufficient input validation/output encoding), where user-supplied input from the txtUserName parameter in /Admin/User.php is directly concatenated into SQL queries without parameterized statements or prepared statements. The affected application is code-projects Real Estate Property Management System 1.0, a web-based administrative interface. This is a classic first-order SQL injection vulnerability arising from dynamic SQL construction without proper escaping or parameterization mechanisms.

Affected Products

code-projects Real Estate Property Management System version 1.0 (primary affected version). CPE string would be: cpe:2.3:a:code-projects:real_estate_property_management_system:1.0:*:*:*:*:*:*:*. No version range information provided suggests versions prior to 1.0 may not exist or are unsupported. No patch version or fixed version is documented in the provided intelligence.

Remediation

Immediate actions: (1) Disable or restrict access to /Admin/User.php until patched, implement WAF rules to block SQL injection patterns in txtUserName parameter; (2) Apply parameterized queries (prepared statements) using PHP PDO or mysqli with bound parameters instead of string concatenation; (3) Implement input validation whitelisting for usernames (alphanumeric + allowed special characters only); (4) Apply output encoding where needed; (5) Enable SQL error suppression in production to prevent information leakage. Contact code-projects for patch availability—no fixed version identified in provided data. Consider upgrading if a patched version becomes available, or migrating to actively maintained real estate management software if no vendor response.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-17035 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy