Login Sign Up

CVE-2025-13289

6.3 MEDIUM
SQL Injection

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary SQL commands via the SubCode parameter in the SubjectDetails.php file of the 1000projects Student Database Management System 1.0. This affects all installations of this specific software version that expose the vulnerable component. Attackers can potentially read, modify, or delete database contents.

💻 Affected Systems

Products:
  • 1000projects Design & Development Student Database Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations with the vulnerable file accessible. No specific OS requirements.

📦 What is this software?

Design \& Development Of Student Database Management System by 1000projects

View all CVEs affecting Design \& Development Of Student Database Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive student/teacher data exfiltration, authentication bypass, or system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Data theft of student records, grades, and personal information; potential database corruption or deletion.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub. SQL injection via SubCode parameter is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider workarounds or replacing the software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize SubCode parameter before processing

Modify SubjectDetails.php to validate SubCode parameter using prepared statements or whitelist validation

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

Configure WAF to block SQL injection patterns targeting /TeacherLogin/Academics/SubjectDetails.php

🧯 If You Can't Patch

  • Restrict network access to the application using firewall rules to only trusted IPs
  • Implement database user with minimal permissions (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test the SubCode parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check software version in application interface or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer work and return proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts or parameter manipulation in web logs

Network Indicators:

  • HTTP requests to SubjectDetails.php with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="*SubjectDetails.php*" AND (param="*SubCode*" AND value="*OR*" OR value="*UNION*" OR value="*SELECT*")

📊 Metadata

CVE ID: CVE-2025-13289
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (10.3th percentile)
Published: November 17, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13289, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)