Login Sign Up

CVE-2025-14585

7.3 HIGH
SQL Injection

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary SQL commands via the ID parameter in the /admin/?page=zone endpoint of itsourcecode COVID Tracking System 1.0. Attackers can potentially read, modify, or delete database content. All deployments of COVID Tracking System 1.0 with the vulnerable endpoint accessible are affected.

💻 Affected Systems

Products:
  • itsourcecode COVID Tracking System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the /admin/?page=zone endpoint to be accessible. Default installations are vulnerable.

📦 What is this software?

Covid Tracking System by Angeljudesuarez

View all CVEs affecting Covid Tracking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, or remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information from the COVID tracking database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available. Attack requires access to the admin endpoint but may be combined with other vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider workarounds or alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the ID parameter before SQL processing.

Modify /admin/?page=zone handler to validate ID as integer using is_numeric() or similar

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns in the ID parameter.

Add WAF rule: Detect SQL keywords in GET parameters for /admin/?page=zone

🧯 If You Can't Patch

  • Restrict network access to the /admin endpoint using firewall rules or network segmentation.
  • Implement database user with minimal permissions (read-only if possible) for the application.

🔍 How to Verify

Check if Vulnerable:

Test the /admin/?page=zone endpoint with SQL injection payloads like ' OR '1'='1 in the ID parameter.

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer produce database errors or unexpected results.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts followed by SQL queries

Network Indicators:

  • HTTP requests to /admin/?page=zone with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/admin/?page=zone" AND (param="ID" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|or|and)")

📊 Metadata

CVE ID: CVE-2025-14585
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (16.4th percentile)
Published: December 12, 2025
Last Updated: December 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14585, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)