Login Sign Up

CVE-2025-29181

7.2 HIGH
SQL Injection

📋 TL;DR

FOXCMS versions up to 1.25 contain a SQL injection vulnerability in the admin panel's field management functionality. Attackers can inject malicious SQL queries through the title parameter, potentially accessing or modifying database content. This affects all FOXCMS installations with the vulnerable code path accessible.

💻 Affected Systems

Products:
  • FOXCMS
Versions: <= V1.25
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to admin panel (/admin/util/Field.php). Default installations are vulnerable if admin interface is accessible.

📦 What is this software?

Foxcms by Foxcms

View all CVEs affecting Foxcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized data access, privilege escalation, or database manipulation by authenticated attackers.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin authentication. Public proof-of-concept available in GitHub gist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Implement input validation and parameterized queries in /admin/util/Field.php.

🔧 Temporary Workarounds

Input Validation Workaround

all

Add input validation to sanitize $param['title'] parameter before SQL query execution

Edit /admin/util/Field.php to add validation: if(!preg_match('/^[a-zA-Z0-9_\s]+$/', $param['title'])) { die('Invalid input'); }

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

ModSecurity rule: SecRule ARGS:title "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Restrict access to /admin/util/Field.php via IP whitelisting or authentication requirements
  • Implement database-level protections: use least privilege database accounts, enable query logging

🔍 How to Verify

Check if Vulnerable:

Check if FOXCMS version is <= 1.25 and /admin/util/Field.php exists with unsanitized $param['title'] usage

Check Version:

Check FOXCMS version in configuration files or admin panel

Verify Fix Applied:

Test SQL injection payloads against the title parameter and verify they are blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts to admin panel
  • Suspicious parameter values in access logs

Network Indicators:

  • SQL keywords in POST requests to /admin/util/Field.php
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/util/Field.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2025-29181
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
EPSS Score: 0.22% exploit probability (44.4th percentile)
Published: April 17, 2025
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29181, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)