CVE-2025-0563 – CVE-2025-0563 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2025-0563?

CVE-2025-0563 has a CVSS score of 6.3 (MEDIUM). CVE-2025-0563 is a critical SQL injection vulnerability in Fantasy-Cricket 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'uname' parameter in /dash/update.php. This affects all users running the vulnerable version of Fantasy-Cricket software. Successful exploitation could lead to data theft, modification, or deletion.

📋 TL;DR

CVE-2025-0563 is a critical SQL injection vulnerability in Fantasy-Cricket 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'uname' parameter in /dash/update.php. This affects all users running the vulnerable version of Fantasy-Cricket software. Successful exploitation could lead to data theft, modification, or deletion.

💻 Affected Systems

Products:

Fantasy-Cricket

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /dash/update.php endpoint specifically. No special configuration required for exploitation.

📦 What is this software?

Fantasy Cricket by Anisha

View all CVEs affecting Fantasy Cricket →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential server takeover via SQL injection chaining.

🟠

Likely Case

Unauthorized access to sensitive user data, modification of cricket tournament results, and potential administrative account takeover.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects a web application component.

🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if the application is accessible on internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. SQL injection via uname parameter is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Implement workarounds or migrate to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the uname parameter in update.php

Modify /dash/update.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the update.php endpoint

Configure WAF to block requests containing SQL injection patterns to /dash/update.php

🧯 If You Can't Patch

Disable or restrict access to /dash/update.php endpoint
Implement network segmentation to isolate Fantasy-Cricket application from sensitive databases

🔍 How to Verify

Check if Vulnerable:

Test the /dash/update.php endpoint with SQL injection payloads in the uname parameter

Check Version:

Check application version in configuration files or about pages

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that parameterized queries are implemented

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts via update.php
Suspicious parameter values in web server logs

Network Indicators:

SQL injection patterns in HTTP POST requests to /dash/update.php
Unusual database connection patterns

SIEM Query:

source="web_server" AND uri="/dash/update.php" AND (param="uname" AND value MATCH "[';]|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|CREATE")

📊 Metadata

CVE ID: CVE-2025-0563

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.13% exploit probability (32.6th percentile)

Published: January 19, 2025

Last Updated: February 28, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/LiuSir5211314/-sir/issues/2 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.292524 Permissions Required,VDB Entry
https://vuldb.com/?id.292524 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.484185 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0563, you might also want to check these: