CVE-2025-13420 – CVE-2025-13420 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-13420?

CVE-2025-13420 has a CVSS score of 7.3 (HIGH). CVE-2025-13420 is a SQL injection vulnerability in itsourcecode Human Resource Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the eventSubject parameter in EventStore.php. This affects all deployments of version 1.0. Attackers can potentially access, modify, or delete sensitive HR data including employee records, salaries, and personal information.

📋 TL;DR

CVE-2025-13420 is a SQL injection vulnerability in itsourcecode Human Resource Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the eventSubject parameter in EventStore.php. This affects all deployments of version 1.0. Attackers can potentially access, modify, or delete sensitive HR data including employee records, salaries, and personal information.

💻 Affected Systems

Products:

itsourcecode Human Resource Management System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0. The vulnerable file /src/store/EventStore.php is part of core functionality.

📦 What is this software?

Human Resource Management System by Angeljudesuarez

View all CVEs affecting Human Resource Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chain

🟠

Likely Case

Unauthorized access to sensitive HR data including employee records, salaries, and personal information

🟢

If Mitigated

Limited data exposure if proper input validation and WAF rules are in place

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication

🏢 Internal Only: MEDIUM - Internal attackers could exploit if system is network-accessible

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. SQL injection via eventSubject parameter requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative HR systems or implementing custom fixes with parameterized queries.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize eventSubject parameter before processing

Modify /src/store/EventStore.php to add: $eventSubject = mysqli_real_escape_string($connection, $_POST['eventSubject']);

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

Add WAF rule: SecRule ARGS:eventSubject "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Isolate the HR system behind a firewall with strict network access controls
Implement database monitoring to detect unusual SQL queries and access patterns

🔍 How to Verify

Check if Vulnerable:

Check if /src/store/EventStore.php exists and contains unsanitized eventSubject parameter usage

Check Version:

Check application version in admin panel or readme files

Verify Fix Applied:

Test eventSubject parameter with SQL injection payloads like ' OR '1'='1 and verify no database errors or unexpected results

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Unusual database queries from web server IP
Multiple failed login attempts following SQL errors

Network Indicators:

HTTP POST requests to /src/store/EventStore.php with SQL keywords in parameters
Unusual outbound database connections from web server

SIEM Query:

source="web_logs" AND uri="/src/store/EventStore.php" AND (eventSubject CONTAINS "UNION" OR eventSubject CONTAINS "SELECT" OR eventSubject CONTAINS "OR '1'='1'")

📊 Metadata

CVE ID: CVE-2025-13420

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: November 19, 2025

Last Updated: November 24, 2025

🔗 References

https://github.com/f14g-orz/CVE/issues/8 Exploit,Issue Tracking,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.332942 Permissions Required,VDB Entry
https://vuldb.com/?id.332942 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.695952 Third Party Advisory,VDB Entry
https://github.com/f14g-orz/CVE/issues/8 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13420, you might also want to check these: