Login Sign Up

CVE-2025-10811

7.3 HIGH
SQL Injection

📋 TL;DR

CVE-2025-10811 is a SQL injection vulnerability in code-projects Hostel Management System 1.0 that allows attackers to manipulate database queries through the ID parameter in the admin interface. This affects all installations of version 1.0 with the vulnerable component exposed. Attackers can potentially read, modify, or delete database content.

💻 Affected Systems

Products:
  • code-projects Hostel Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the /justines/admin/mod_comments/index.php?view=view endpoint to be accessible

📦 What is this software?

Hostel Management System by Angeljudesuarez

View all CVEs affecting Hostel Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data destruction, and potential remote code execution through database functions

🟠

Likely Case

Unauthorized data access and modification of hostel management data (guest records, bookings, financial information)

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin access but SQL injection is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to sanitize ID input before SQL query

Modify /justines/admin/mod_comments/index.php to validate ID parameter as integer using is_numeric() or filter_var()

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

Add WAF rule: Detect and block SQL keywords in ID parameter (UNION, SELECT, INSERT, DELETE, DROP, etc.)

🧯 If You Can't Patch

  • Restrict access to /justines/admin/ directory to trusted IP addresses only
  • Implement database user with minimal permissions (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads: /justines/admin/mod_comments/index.php?view=view&id=1' OR '1'='1

Check Version:

Check system documentation or about page for version information

Verify Fix Applied:

Test with same payloads after implementing fixes - should return error or no data

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts followed by admin access
  • Unusual database queries from application user

Network Indicators:

  • HTTP requests to vulnerable endpoint with SQL syntax in parameters
  • Unusual outbound database connections

SIEM Query:

source="web_logs" AND uri="/justines/admin/mod_comments/index.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*' OR '*")

📊 Metadata

CVE ID: CVE-2025-10811
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (15.4th percentile)
Published: September 22, 2025
Last Updated: September 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10811, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)