Login Sign Up

CVE-2025-13299

7.3 HIGH
SQL Injection

📋 TL;DR

This vulnerability allows remote attackers to execute SQL injection attacks against itsourcecode Web-Based Internet Laboratory Management System 1.0 through the /user/controller.php file. Successful exploitation could lead to unauthorized data access, modification, or deletion. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • itsourcecode Web-Based Internet Laboratory Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation. Any system with the vulnerable file accessible is at risk.

📦 What is this software?

Web Based Internet Laboratory Management System by Itsourcecode

View all CVEs affecting Web Based Internet Laboratory Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive laboratory management data, user credentials, and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit has been published and remote exploitation is possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider workarounds or replacing the software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for all user inputs in controller.php

Manual code review and modification required

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection protection rules

Depends on WAF solution

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict internal network access
  • Implement strict network segmentation and monitor all traffic to/from the system

🔍 How to Verify

Check if Vulnerable:

Check if /user/controller.php exists and accepts user input without proper validation

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test SQL injection attempts against the endpoint to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in application logs
  • Multiple failed login attempts
  • Unexpected database access patterns

Network Indicators:

  • SQL injection payloads in HTTP requests to /user/controller.php
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/user/controller.php" AND (payload="' OR " OR payload="UNION" OR payload="SELECT" OR payload="INSERT")

📊 Metadata

CVE ID: CVE-2025-13299
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (13.8th percentile)
Published: November 17, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13299, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)