CVE-2025-14620 – CVE-2025-14620 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-14620?

CVE-2025-14620 has a CVSS score of 7.3 (HIGH). CVE-2025-14620 is an SQL injection vulnerability in code-projects Student File Management System 1.0 that allows attackers to manipulate database queries via the Username parameter in /admin/login_query.php. This can lead to authentication bypass, data theft, or system compromise. Organizations using this specific software version are affected.

📋 TL;DR

CVE-2025-14620 is an SQL injection vulnerability in code-projects Student File Management System 1.0 that allows attackers to manipulate database queries via the Username parameter in /admin/login_query.php. This can lead to authentication bypass, data theft, or system compromise. Organizations using this specific software version are affected.

💻 Affected Systems

Products:

code-projects Student File Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific version 1.0 of this software. The vulnerability exists in the default installation.

📦 What is this software?

Student File Management System by Fabian

View all CVEs affecting Student File Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including administrative access, data exfiltration, and potential remote code execution on the underlying server.

🟠

Likely Case

Authentication bypass leading to unauthorized administrative access, followed by data manipulation or theft of student records.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to the affected application's data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub and vuldb.com. The vulnerability requires no authentication and is simple to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries in /admin/login_query.php or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize Username parameter before processing SQL queries

Modify /admin/login_query.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the login endpoint

Configure WAF to block requests containing SQL keywords like UNION, SELECT, INSERT, DELETE when sent to /admin/login_query.php

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement strict network segmentation and monitor all access to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if /admin/login_query.php exists and examine the code for lack of input validation on Username parameter

Check Version:

Check software documentation or configuration files for version information

Verify Fix Applied:

Test the login functionality with SQL injection payloads to confirm they are properly rejected

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts with SQL syntax in Username field
Successful admin logins from unexpected IP addresses

Network Indicators:

HTTP POST requests to /admin/login_query.php containing SQL keywords
Unusual database query patterns from the application server

SIEM Query:

source="web_logs" AND uri="/admin/login_query.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "' OR '")

📊 Metadata

CVE ID: CVE-2025-14620

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (16.4th percentile)

Published: December 13, 2025

Last Updated: December 16, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/jjjjj-zr/jjjjjzr3/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.336305 Permissions Required,VDB Entry
https://vuldb.com/?id.336305 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.707109 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.709074 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14620, you might also want to check these: