CVE-2025-0945 – CVE-2025-0945 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2025-0945?

CVE-2025-0945 has a CVSS score of 6.3 (MEDIUM). CVE-2025-0945 is a critical SQL injection vulnerability in itsourcecode Tailoring Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in typedelete.php. This affects all deployments of version 1.0. Attackers can potentially read, modify, or delete database content.

📋 TL;DR

CVE-2025-0945 is a critical SQL injection vulnerability in itsourcecode Tailoring Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in typedelete.php. This affects all deployments of version 1.0. Attackers can potentially read, modify, or delete database content.

💻 Affected Systems

Products:

itsourcecode Tailoring Management System

Versions: 1.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0. The vulnerability exists in the default installation.

📦 What is this software?

Tailoring Management System by Angeljudesuarez

View all CVEs affecting Tailoring Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing web applications.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation to ensure 'id' parameter contains only expected values (e.g., numeric values)

Edit typedelete.php to add: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

Implement Parameterized Queries

all

Replace direct SQL concatenation with prepared statements using PDO or mysqli

Replace SQL query with: $stmt = $pdo->prepare('DELETE FROM table WHERE id = ?'); $stmt->execute([$_GET['id']]);

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict network access to the application to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Test typedelete.php with SQL injection payloads like: typedelete.php?id=1' OR '1'='1

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes to ensure they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed DELETE operations with malformed parameters

Network Indicators:

HTTP requests to typedelete.php with SQL keywords in parameters
Unusual database query patterns

SIEM Query:

source="web_logs" AND uri="*typedelete.php*" AND (param="*' OR*" OR param="*UNION*" OR param="*SELECT*" OR param="*--*" OR param="*;*" OR param="*/*")

📊 Metadata

CVE ID: CVE-2025-0945

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.18% exploit probability (39.2th percentile)

Published: February 1, 2025

Last Updated: February 7, 2025

🔗 References

https://github.com/magic2353112890/cve/issues/7 Exploit,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.294300 Permissions Required,VDB Entry
https://vuldb.com/?id.294300 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0945, you might also want to check these: