Login Sign Up

CVE-2025-2062

7.3 HIGH
SQL Injection

📋 TL;DR

A critical SQL injection vulnerability in Life Insurance Management System 1.0 allows attackers to manipulate database queries via the client_id parameter in /clientStatus.php. This enables unauthorized data access, modification, or deletion. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:
  • Life Insurance Management System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable by default. The vulnerability exists in the core application code.

📦 What is this software?

Life Insurance Management System by Projectworlds

View all CVEs affecting Life Insurance Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to sensitive client data, policy information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to the vulnerable endpoint but may not require authentication depending on application configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

PHP

Modify /clientStatus.php to validate client_id input and use prepared statements

Replace SQL queries with parameterized queries using PDO or mysqli prepared statements

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting /clientStatus.php

Configure WAF to block requests containing SQL keywords in client_id parameter

🧯 If You Can't Patch

  • Block external access to /clientStatus.php via firewall rules or web server configuration
  • Implement strict database user permissions with read-only access where possible

🔍 How to Verify

Check if Vulnerable:

Test /clientStatus.php endpoint with SQL injection payloads in client_id parameter (e.g., 1' OR '1'='1)

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple requests to /clientStatus.php with suspicious parameters

Network Indicators:

  • HTTP requests to /clientStatus.php containing SQL keywords (UNION, SELECT, etc.)

SIEM Query:

source="web_logs" AND uri="/clientStatus.php" AND (param="*UNION*" OR param="*SELECT*" OR param="*OR '1'='1*")

📊 Metadata

CVE ID: CVE-2025-2062
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.13% exploit probability (33th percentile)
Published: March 7, 2025
Last Updated: May 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2062, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)