EUVD-2025-17107

| CVE-2025-5756 HIGH
2025-06-06 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17107
PoC Detected
Oct 23, 2025 - 20:06 vuln.today
Public exploit code
CVE Published
Jun 06, 2025 - 10:15 nvd
HIGH 7.3

Tags

PHP SQLi Real Estate Property Management System

Description

A vulnerability was found in code-projects Real Estate Property Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /Admin/EditCity.php. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/EditCity.php endpoint. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The exploit has been publicly disclosed with proof-of-concept code available, and the vulnerability is likely being actively exploited in the wild.

Technical Context

The vulnerability stems from improper input validation and parameterization in the EditCity.php administrative interface, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'). The root cause is the failure to properly sanitize or use prepared statements for user-supplied input before incorporating it into SQL queries. This is a classic SQL injection flaw where user-controlled parameters (likely city name, ID, or other form fields) are directly concatenated into dynamically constructed SQL statements without proper escaping or parameterized query mechanisms. The affected product is code-projects Real Estate Property Management System 1.0, a PHP-based web application handling property management operations.

Affected Products

code-projects Real Estate Property Management System version 1.0. CPE would be: cpe:2.3:a:code-projects:real_estate_property_management_system:1.0:*:*:*:*:*:*:*. This appears to be a lesser-known or self-hosted property management platform. No official vendor advisory URL was provided in available intelligence, suggesting either a third-party disclosure or disclosure to a non-responsive vendor.

Remediation

Immediate remediation actions: (1) Apply input validation and output encoding to all user-supplied parameters in EditCity.php, specifically implementing allowlist-based validation for city names and identifiers; (2) Refactor all SQL queries to use parameterized prepared statements (mysqli_prepare() or PDO prepared statements in PHP) instead of string concatenation; (3) Implement principle of least privilege for database user accounts—ensure the application database user has minimal necessary permissions; (4) Deploy Web Application Firewall (WAF) rules to block common SQL injection patterns (SQL keywords, comment syntax, union-based attacks) targeting the /Admin/ directory; (5) Apply strong authentication controls to administrative functions; (6) Contact code-projects for patch availability—if unavailable, consider forking/patching the codebase internally or migrating to a patched or alternative solution. Code review of other administrative endpoints (EditProperty.php, EditAgent.php, etc.) is strongly recommended given the pattern of vulnerability.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-17107 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy