EUVD-2025-17043
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability classified as critical was found in code-projects Real Estate Property Management System 1.0. This vulnerability affects unknown code of the file /Admin/InsertCategory.php. The manipulation of the argument txtCategoryName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0 affecting the /Admin/InsertCategory.php endpoint. An unauthenticated remote attacker can manipulate the txtCategoryName parameter to execute arbitrary SQL commands, potentially compromising database confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, making active exploitation a significant risk.
Technical Context
This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), specifically manifesting as SQL injection. The root cause stems from insufficient input validation and sanitization of user-supplied data (txtCategoryName) before it is incorporated into SQL queries within the /Admin/InsertCategory.php file. The Real Estate Property Management System processes category insertion operations through this PHP endpoint without implementing parameterized queries, prepared statements, or proper escaping mechanisms. This allows attackers to break out of intended SQL syntax and inject malicious SQL commands that execute with the application's database privileges. The vulnerable component is a web-based administrative interface handling data insertion operations, typical of PHP-based management systems lacking modern secure coding practices.
Affected Products
code-projects Real Estate Property Management System version 1.0. The vulnerable endpoint /Admin/InsertCategory.php is specifically affected, with the txtCategoryName parameter serving as the injection vector. CPE data for this product would be: cpe:2.3:a:code-projects:real_estate_property_management_system:1.0:*:*:*:*:*:*:*. The vulnerability affects all default installations of version 1.0 without patches applied. No vendor advisory links are provided in the source data; however, affected organizations should contact code-projects directly for patch availability status.
Remediation
Immediate remediation steps: (1) Apply available security patches from code-projects for Real Estate Property Management System—contact vendor directly if patches are not yet publicly available; (2) If patches are unavailable, implement temporary mitigations: restrict access to /Admin/InsertCategory.php via network firewall rules or WAF rules blocking access except from trusted administrative networks; (3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the txtCategoryName parameter (detect quotes, SQL keywords, comment sequences); (4) Code-level remediation (if vendor patch is delayed): Replace all dynamic SQL queries with parameterized prepared statements using PHP PDO or mysqli with bound parameters; validate and sanitize txtCategoryName input using strict whitelisting (alphanumeric + underscore only); apply proper output encoding. (5) Conduct database activity monitoring and review logs for evidence of exploitation attempts. (6) Perform security testing post-remediation using OWASP ZAP or similar tools to verify SQL injection vulnerabilities are eliminated.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today