Login Sign Up

CVE-2025-14566

7.3 HIGH
SQL Injection

📋 TL;DR

This CVE describes a SQL injection vulnerability in kidaze CourseSelectionSystem that allows remote attackers to execute arbitrary SQL commands via the USN parameter in /Profilers/SProfile/reg.php. All users running vulnerable versions of this software are affected. The vulnerability is remotely exploitable and a public exploit exists.

💻 Affected Systems

Products:
  • kidaze CourseSelectionSystem
Versions: All versions up to commit 42cd892b40a18d50bd4ed1905fa89f939173a464
Operating Systems: Any OS running the vulnerable software
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration of affected versions.

📦 What is this software?

Courseselectionsystem by Kidaze

View all CVEs affecting Courseselectionsystem →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, data modification, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and the vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries as workaround.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for the USN parameter in reg.php

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the USN parameter

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to vulnerable systems
  • Deploy intrusion detection systems to monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check if your version commit hash is 42cd892b40a18d50bd4ed1905fa89f939173a464 or earlier

Check Version:

Check git commit history or version files in the application directory

Verify Fix Applied:

Test the USN parameter with SQL injection payloads to verify proper input validation

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in application logs
  • Multiple failed login attempts via USN parameter
  • SQL syntax errors in error logs

Network Indicators:

  • HTTP requests with SQL injection payloads in USN parameter
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND (url="/Profilers/SProfile/reg.php" AND (query="*USN=*" AND (query="*' OR *" OR query="*;--*" OR query="*UNION*")))

📊 Metadata

CVE ID: CVE-2025-14566
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (10.8th percentile)
Published: December 12, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14566, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)