Login Sign Up

CVE-2025-7170

7.3 HIGH
SQL Injection

📋 TL;DR

A critical SQL injection vulnerability exists in the Crime Reporting System 1.0's registration.php file, allowing remote attackers to manipulate database queries through the Name parameter. This affects all deployments of Crime Reporting System 1.0 that expose the registration functionality. Attackers can potentially read, modify, or delete database content.

💻 Affected Systems

Products:
  • code-projects Crime Reporting System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with registration.php accessible are vulnerable. No special configuration required.

📦 What is this software?

Crime Reporting System by Code Projects

View all CVEs affecting Crime Reporting System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, remote code execution, or system takeover.

🟠

Likely Case

Data exfiltration, user account compromise, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available. SQL injection via Name parameter requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If no patch, implement parameterized queries in registration.php. 3. Validate and sanitize all user inputs, especially the Name parameter.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to reject SQL injection patterns in the Name parameter

# In registration.php, add: $name = mysqli_real_escape_string($conn, $_POST['Name']);

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

# Example mod_security rule: SecRule ARGS:Name "@detectSQLi" "id:1001,phase:2,deny"

🧯 If You Can't Patch

  • Block external access to registration.php via firewall rules or web server configuration
  • Implement strict database user permissions with read-only access where possible

🔍 How to Verify

Check if Vulnerable:

Test registration.php with SQL injection payloads like ' OR '1'='1 in Name parameter

Check Version:

# Check application version in source code or documentation

Verify Fix Applied:

Verify parameterized queries are implemented and test with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in web logs
  • Unusual database queries from web server IP
  • Multiple failed registration attempts with special characters

Network Indicators:

  • HTTP POST requests to registration.php with SQL keywords in parameters
  • Unusual database response sizes

SIEM Query:

source="web.log" AND uri="/registration.php" AND (payload="' OR" OR payload="UNION" OR payload="SELECT")

📊 Metadata

CVE ID: CVE-2025-7170
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (12.4th percentile)
Published: July 8, 2025
Last Updated: July 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7170, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)