CVE-2025-12306 – CVE-2025-12306 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-12306?

CVE-2025-12306 has a CVSS score of 7.3 (HIGH). CVE-2025-12306 is a SQL injection vulnerability in Nero Social Networking Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /acceptoffres.php. This affects all installations of version 1.0, potentially leading to data theft, modification, or deletion.

📋 TL;DR

CVE-2025-12306 is a SQL injection vulnerability in Nero Social Networking Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /acceptoffres.php. This affects all installations of version 1.0, potentially leading to data theft, modification, or deletion.

💻 Affected Systems

Products:

Nero Social Networking Site

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. No specific configuration required for exploitation.

📦 What is this software?

Nero Social Networking Site by Fabian

View all CVEs affecting Nero Social Networking Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, privilege escalation, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, modification, or deletion of user information and site content.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage scope.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects a web-facing component.

🏢 Internal Only: MEDIUM - Internal systems running the vulnerable software remain at risk but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily weaponizable by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or consider alternative solutions.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the ID parameter to only accept expected values.

Modify /acceptoffres.php to validate ID parameter using regex or type casting

Web Application Firewall

all

Deploy WAF with SQL injection protection rules to block malicious requests.

Configure WAF to block SQL injection patterns targeting /acceptoffres.php

🧯 If You Can't Patch

Isolate the vulnerable system from internet access
Implement strict network segmentation and monitoring

🔍 How to Verify

Check if Vulnerable:

Test /acceptoffres.php with SQL injection payloads in ID parameter and observe database errors or unexpected behavior.

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test with same payloads after implementing fixes - should return proper error handling without database exposure.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple requests to /acceptoffres.php with suspicious ID parameters
Database query errors containing SQL syntax

Network Indicators:

HTTP requests to /acceptoffres.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/acceptoffres.php" AND (param="ID" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|;)")

📊 Metadata

CVE ID: CVE-2025-12306

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: October 27, 2025

Last Updated: November 3, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/yuan466/CVE/blob/main/one/report.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.329978 Permissions Required,VDB Entry
https://vuldb.com/?id.329978 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.676790 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12306, you might also want to check these: