CVE-2025-12208 – This SQL injection vulnerability in SourceCodes... (How to Fix)

Q: What is the severity of CVE-2025-12208?

CVE-2025-12208 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in SourceCodester Best House Rental Management System 1.0 allows attackers to manipulate database queries through the login2 function's Username parameter. Attackers can potentially read, modify, or delete database contents, and in some cases gain administrative access. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in SourceCodester Best House Rental Management System 1.0 allows attackers to manipulate database queries through the login2 function's Username parameter. Attackers can potentially read, modify, or delete database contents, and in some cases gain administrative access. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

SourceCodester Best House Rental Management System

Versions: 1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable by default

📦 What is this software?

Best House Rental Management System by Mayurik

View all CVEs affecting Best House Rental Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, system takeover, and potential lateral movement to other systems

🟠

Likely Case

Unauthorized data access, authentication bypass, and potential privilege escalation

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though system remains vulnerable to skilled attackers

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available and the vulnerability is in a login function, making it attractive to attackers

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or consider alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to sanitize Username parameter

Modify /admin_class.php to add parameterized queries or input sanitization

Web Application Firewall

all

Deploy WAF with SQL injection rules

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation to limit potential lateral movement

🔍 How to Verify

Check if Vulnerable:

Test the login2 function with SQL injection payloads in the Username parameter

Check Version:

Check system version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and proper input validation is implemented

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts with SQL syntax

Network Indicators:

HTTP requests with SQL keywords in Username parameter
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (Username="' OR '1'='1" OR Username="' UNION SELECT" OR Username CONTAINS "--" OR Username CONTAINS "#")

📊 Metadata

CVE ID: CVE-2025-12208

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: October 27, 2025

Last Updated: October 28, 2025

🔗 References

https://github.com/K1nakoo/cve/blob/main/58/report.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.329878 Permissions Required,VDB Entry
https://vuldb.com/?id.329878 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.673226 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product
https://github.com/K1nakoo/cve/blob/main/58/report.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12208, you might also want to check these: