EUVD-2025-17038
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability was found in code-projects Real Estate Property Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /Admin/Property.php. The manipulation of the argument cmbCat leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Analysis
Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/Property.php file where the 'cmbCat' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the property management database. The exploit has been publicly disclosed with proof-of-concept code available, significantly elevating real-world exploitation risk.
Technical Context
This vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), manifesting as a classical SQL injection flaw. The Real Estate Property Management System processes user input from the 'cmbCat' parameter without proper parameterized queries, input validation, or output encoding before passing it to SQL database operations. The affected component is the /Admin/Property.php administrative interface, which typically handles property categorization operations. The vulnerability exists because the application fails to use prepared statements or bind parameters when constructing SQL queries, allowing attackers to inject malicious SQL syntax through the category selection parameter. This is a server-side vulnerability affecting the backend database layer of a PHP-based web application.
Affected Products
code-projects Real Estate Property Management System version 1.0. CPE would likely be: cpe:2.3:a:code-projects:real_estate_property_management_system:1.0:*:*:*:*:*:*:*. The vulnerability specifically affects the /Admin/Property.php file. No information indicates that version 2.0 or later addresses this flaw, so all deployments of v1.0 should be considered vulnerable. Systems running this application on publicly accessible web servers (HTTP/HTTPS on ports 80/443) are at immediate risk.
Remediation
Immediate remediation steps: (1) Upgrade to a patched version if available from code-projects; verify with vendor whether version 2.0+ contains fixes for CVE-2025-5705. (2) If upgrade is unavailable, implement immediate compensating controls: restrict /Admin/ directory access to trusted IPs only via firewall or web server configuration (allow-list); implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the cmbCat parameter. (3) Apply input validation: implement strict whitelist validation for the cmbCat parameter to accept only expected category IDs (numeric or predefined strings). (4) Code-level fix if internal resources available: replace all SQL query constructions in Property.php with parameterized prepared statements using either mysqli_prepare() or PDO prepared statements, ensuring all user input is bound as data, not code. (5) Conduct immediate database audit to detect any unauthorized access or data modification since deployment. (6) Monitor database logs for suspicious query patterns indicative of exploitation attempts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today