Login Sign Up

CVE-2025-2419

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in Real Estate Property Management System 1.0 allows attackers to execute arbitrary SQL commands through the InsertFeedback.php file. Remote attackers can potentially access, modify, or delete database content. All users running version 1.0 are affected.

💻 Affected Systems

Products:
  • Real Estate Property Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the InsertFeedback.php file specifically through txtName, txtEmail, txtMobile, and txtFeedback parameters.

📦 What is this software?

Real Estate Property Management System by Fabian

View all CVEs affecting Real Estate Property Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access and modification of property management data, tenant information, and system configuration.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available and SQL injection is a well-understood attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries or input validation as workaround.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize user inputs before processing in InsertFeedback.php

Modify InsertFeedback.php to include input sanitization functions

Web Application Firewall Rule

all

Block SQL injection patterns targeting InsertFeedback.php parameters

Configure WAF to block requests containing SQL injection patterns to /InsertFeedback.php

🧯 If You Can't Patch

  • Disable or restrict access to InsertFeedback.php functionality
  • Implement network segmentation to isolate the vulnerable system

🔍 How to Verify

Check if Vulnerable:

Test InsertFeedback.php endpoint with SQL injection payloads in txtName, txtEmail, txtMobile, or txtFeedback parameters

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and proper input validation is implemented

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from web server
  • Multiple failed SQL syntax attempts
  • Unexpected database error messages in logs

Network Indicators:

  • HTTP POST requests to /InsertFeedback.php containing SQL keywords
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/InsertFeedback.php" AND (payload CONTAINS "UNION" OR payload CONTAINS "SELECT" OR payload CONTAINS "INSERT" OR payload CONTAINS "DELETE")

📊 Metadata

CVE ID: CVE-2025-2419
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.08% exploit probability (23th percentile)
Published: March 17, 2025
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2419, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)