CVE-2025-3143 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2025-3143?

CVE-2025-3143 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in SourceCodester Apartment Visitor Management System 1.0 allows attackers to manipulate database queries through the visitor entry form. Remote attackers can potentially access, modify, or delete sensitive visitor data. All deployments of version 1.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Apartment Visitor Management System 1.0 allows attackers to manipulate database queries through the visitor entry form. Remote attackers can potentially access, modify, or delete sensitive visitor data. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

SourceCodester Apartment Visitor Management System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /visitor-entry.php file specifically; multiple parameters (visname, address) are vulnerable

📦 What is this software?

Apartment Visitor Management System by Oretnom23

View all CVEs affecting Apartment Visitor Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE escalation

🟠

Likely Case

Unauthorized access to visitor records including personal information, potential privilege escalation within the application

🟢

If Mitigated

Limited impact if proper input validation and WAF rules block malicious SQL payloads

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub; remote exploitation requires no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement parameterized queries and input validation for all user inputs in visitor-entry.php

Modify PHP code to use prepared statements: $stmt = $conn->prepare('INSERT INTO visitors (name, address) VALUES (?, ?)'); $stmt->bind_param('ss', $visname, $address);

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting visitor-entry.php

ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
Cloudflare WAF: Enable SQLi protection

🧯 If You Can't Patch

Block external access to /visitor-entry.php via firewall rules or web server configuration
Implement network segmentation to isolate the vulnerable system from sensitive data

🔍 How to Verify

Check if Vulnerable:

Test /visitor-entry.php with SQL injection payloads like ' OR '1'='1 in visname or address parameters

Check Version:

Check application version in admin panel or readme files; system shows 'Apartment Visitor Management System 1.0'

Verify Fix Applied:

Attempt SQL injection after implementing parameterized queries; successful queries should fail with proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in PHP logs
Multiple failed login attempts or SQL syntax errors in visitor-entry.php access logs

Network Indicators:

HTTP POST requests to /visitor-entry.php containing SQL keywords (UNION, SELECT, INSERT) in parameters

SIEM Query:

source="apache_logs" AND uri_path="/visitor-entry.php" AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*OR '1'='1*")

📊 Metadata

CVE ID: CVE-2025-3143

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.26% exploit probability (49.2th percentile)

Published: April 3, 2025

Last Updated: May 14, 2025

🔗 References

https://github.com/Lena-lyy/SQL/blob/main/SQL4.md Exploit,Third Party Advisory
https://github.com/Lena-lyy/SQL/blob/main/SQL5.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.303048 Permissions Required,VDB Entry
https://vuldb.com/?id.303048 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.525321 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3143, you might also want to check these: