CVE-2025-11105 – CVE-2025-11105 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-11105?

CVE-2025-11105 has a CVSS score of 7.3 (HIGH). CVE-2025-11105 is an SQL injection vulnerability in code-projects Simple Scheduling System 1.0 affecting the /schedulingsystem/addsubject.php file. Attackers can manipulate the 'subcode' parameter to execute arbitrary SQL commands, potentially compromising the database. Organizations using this specific software version are affected.

📋 TL;DR

CVE-2025-11105 is an SQL injection vulnerability in code-projects Simple Scheduling System 1.0 affecting the /schedulingsystem/addsubject.php file. Attackers can manipulate the 'subcode' parameter to execute arbitrary SQL commands, potentially compromising the database. Organizations using this specific software version are affected.

💻 Affected Systems

Products:

code-projects Simple Scheduling System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the vulnerable addsubject.php file accessible.

📦 What is this software?

Simple Scheduling System by Fabian

View all CVEs affecting Simple Scheduling System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, deletion, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information, and potential privilege escalation within the database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available and SQL injection is a well-understood attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If no patch available, implement workarounds. 3. Consider replacing with alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize the 'subcode' parameter before processing.

Modify addsubject.php to validate input using prepared statements or parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Configure WAF to block requests containing SQL keywords to /schedulingsystem/addsubject.php

🧯 If You Can't Patch

Restrict access to /schedulingsystem/addsubject.php using network controls or authentication
Implement database user with minimal privileges (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test the addsubject.php endpoint with SQL injection payloads in the 'subcode' parameter and observe database errors or unexpected behavior.

Check Version:

Check software documentation or configuration files for version information.

Verify Fix Applied:

Retest with SQL injection payloads after implementing fixes; successful attacks should be blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web server
SQL syntax errors in application logs
Multiple failed login attempts via addsubject.php

Network Indicators:

HTTP POST requests to /schedulingsystem/addsubject.php with SQL keywords in parameters
Unusual traffic patterns to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/schedulingsystem/addsubject.php" AND (param="subcode" AND value CONTAINS "UNION" OR "SELECT" OR "INSERT" OR "DELETE")

📊 Metadata

CVE ID: CVE-2025-11105

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.7th percentile)

Published: September 28, 2025

Last Updated: October 23, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/WANGshuyan2025/cve/issues/2 Exploit,Issue Tracking
https://vuldb.com/?ctiid.326186 Permissions Required,VDB Entry
https://vuldb.com/?id.326186 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.662442 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11105, you might also want to check these: