Login Sign Up

CVE-2025-10812

7.3 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Hostel Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in the admin interface. Attackers can potentially access, modify, or delete database content. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • Hostel Management System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the admin module to be accessible. The vulnerable file path suggests admin panel access.

📦 What is this software?

Hostel Management System by Angeljudesuarez

View all CVEs affecting Hostel Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive information like user credentials, personal data, or administrative access.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules block malicious SQL payloads.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly disclosed. Attack requires access to the admin interface path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to ensure ID parameter contains only numeric values

Modify /justines/admin/mod_amenities/index.php to validate $_GET['ID'] with is_numeric() or similar

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

Add WAF rule: Detect and block SQL keywords in ID parameter

🧯 If You Can't Patch

  • Restrict network access to the admin interface using firewall rules or network segmentation
  • Implement strong authentication and IP whitelisting for the admin panel

🔍 How to Verify

Check if Vulnerable:

Test the vulnerable endpoint with SQL injection payloads: /justines/admin/mod_amenities/index.php?view=view&ID=1' OR '1'='1

Check Version:

Check software version in documentation or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error messages or are properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in web server logs
  • Multiple requests with SQL keywords in ID parameter
  • Admin panel access from unexpected IP addresses

Network Indicators:

  • HTTP requests containing SQL injection patterns in query strings
  • Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND (uri_path="*mod_amenities*" AND query_string="*ID=*'*" OR query_string="*ID=*%27*")

📊 Metadata

CVE ID: CVE-2025-10812
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (15.4th percentile)
Published: September 22, 2025
Last Updated: September 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10812, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)