Login Sign Up

CVE-2025-8928

6.3 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Medical Store Management System 1.0 allows attackers to manipulate database queries through the productNameTxt parameter. Attackers can potentially read, modify, or delete sensitive medical store data. Organizations using this software are affected.

💻 Affected Systems

Products:
  • code-projects Medical Store Management System
Versions: 1.0
Operating Systems: Any OS running the application
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable by default

📦 What is this software?

Medical Store Management System by Fabian

View all CVEs affecting Medical Store Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or unauthorized administrative access to the system

🟠

Likely Case

Extraction of sensitive medical store data including patient information, inventory details, and financial records

🟢

If Mitigated

Limited information disclosure if proper input validation and database permissions are configured

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access to the system

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details have been publicly disclosed and the vulnerability requires no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries and input validation in UpdateMedicines.java

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize productNameTxt parameter before processing

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict database user permissions with least privilege principle

🔍 How to Verify

Check if Vulnerable:

Test the Update Medicines page with SQL injection payloads in productNameTxt parameter

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts following SQL payloads

Network Indicators:

  • HTTP requests containing SQL keywords like UNION, SELECT, INSERT in productNameTxt parameter

SIEM Query:

http.url:*UpdateMedicines* AND (http.param:*productNameTxt* AND (http.param:*UNION* OR http.param:*SELECT* OR http.param:*--*))

📊 Metadata

CVE ID: CVE-2025-8928
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (10.3th percentile)
Published: August 13, 2025
Last Updated: August 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8928, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)