CVE-2025-13421 – This is an SQL injection vulnerability in itsou... (How to Fix)

Q: What is the severity of CVE-2025-13421?

CVE-2025-13421 has a CVSS score of 7.3 (HIGH). This is an SQL injection vulnerability in itsourcecode Human Resource Management System 1.0 that allows attackers to execute arbitrary SQL commands through the noticeDesc parameter. The vulnerability affects all installations of version 1.0 and can be exploited remotely without authentication. Attackers could potentially access, modify, or delete sensitive HR data including employee records and payroll information.

📋 TL;DR

This is an SQL injection vulnerability in itsourcecode Human Resource Management System 1.0 that allows attackers to execute arbitrary SQL commands through the noticeDesc parameter. The vulnerability affects all installations of version 1.0 and can be exploited remotely without authentication. Attackers could potentially access, modify, or delete sensitive HR data including employee records and payroll information.

💻 Affected Systems

Products:

itsourcecode Human Resource Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable; the vulnerability exists in the default configuration and requires no special settings to be exploitable.

📦 What is this software?

Human Resource Management System by Angeljudesuarez

View all CVEs affecting Human Resource Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to execute operating system commands.

🟠

Likely Case

Unauthorized access to sensitive HR data including employee personal information, salary details, and confidential company records.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, though some information disclosure may still occur.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and the exploit is publicly available, making internet-facing instances immediate targets.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk increases if attackers gain initial foothold elsewhere.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit is publicly disclosed on GitHub and requires minimal technical skill to execute. No authentication is required to exploit the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch is available. Consider migrating to alternative HR software or implementing custom fixes with parameterized queries and input validation.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting the /src/store/NoticeStore.php endpoint and noticeDesc parameter.

Input Validation Filter

all

Add input validation to sanitize the noticeDesc parameter before processing, rejecting suspicious SQL patterns.

🧯 If You Can't Patch

Isolate the HR system on a separate network segment with strict firewall rules limiting access to authorized users only.
Implement database-level protections including least privilege accounts, stored procedures, and regular monitoring of database logs for suspicious queries.

🔍 How to Verify

Check if Vulnerable:

Check if the file /src/store/NoticeStore.php exists and contains unsanitized noticeDesc parameter usage in SQL queries. Test with SQL injection payloads like ' OR '1'='1.

Check Version:

Check the software version in the application's configuration files or about page; look for version 1.0.

Verify Fix Applied:

Verify that all SQL queries using noticeDesc parameter are using prepared statements or proper escaping. Test with SQL injection payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs, especially containing SQL keywords like UNION, SELECT, INSERT in noticeDesc parameter
Multiple failed login attempts or unusual access patterns to NoticeStore.php

Network Indicators:

HTTP POST requests to /src/store/NoticeStore.php containing SQL injection patterns in parameters
Unusual database connection patterns from the web server

SIEM Query:

source="web_logs" AND uri="/src/store/NoticeStore.php" AND (param="noticeDesc" AND value MATCHES "(?i)(union|select|insert|delete|update|drop|--|#|;)")

📊 Metadata

CVE ID: CVE-2025-13421

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: November 19, 2025

Last Updated: November 21, 2025

🔗 References

https://github.com/f14g-orz/CVE/issues/9 Exploit,Issue Tracking,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.332943 Permissions Required,VDB Entry
https://vuldb.com/?id.332943 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.695953 Third Party Advisory,VDB Entry
https://github.com/f14g-orz/CVE/issues/9 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13421, you might also want to check these: