CVE-2025-8929 – This SQL injection vulnerability in Medical Sto... (How to Fix)

Q: What is the severity of CVE-2025-8929?

CVE-2025-8929 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in Medical Store Management System 1.0 allows attackers to execute arbitrary SQL commands through the searchTxt parameter in MainPanel.java. Attackers can remotely exploit this to access, modify, or delete database content. Organizations using this medical store management software are affected.

📋 TL;DR

This SQL injection vulnerability in Medical Store Management System 1.0 allows attackers to execute arbitrary SQL commands through the searchTxt parameter in MainPanel.java. Attackers can remotely exploit this to access, modify, or delete database content. Organizations using this medical store management software are affected.

💻 Affected Systems

Products:

Medical Store Management System

Versions: 1.0

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with the vulnerable MainPanel.java file accessible via web interface.

📦 What is this software?

Medical Store Management System by Fabian

View all CVEs affecting Medical Store Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including theft of sensitive medical/store data, deletion of critical records, or system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to medical/store data, potential data exfiltration, and database manipulation affecting business operations.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minimal data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in referenced links, remote exploitation possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If no patch available, implement workarounds. 3. Consider replacing with alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement parameterized queries or prepared statements for all database interactions, especially for searchTxt parameter.

Replace dynamic SQL with PreparedStatement: PreparedStatement pstmt = connection.prepareStatement("SELECT * FROM table WHERE column = ?"); pstmt.setString(1, searchTxt);

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious requests targeting searchTxt parameter.

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only.
Implement strict database user permissions with least privilege principle.

🔍 How to Verify

Check if Vulnerable:

Test search functionality with SQL injection payloads like ' OR '1'='1 in searchTxt parameter and observe database errors or unexpected results.

Check Version:

Check application version in interface or configuration files; this affects version 1.0 specifically.

Verify Fix Applied:

Retest with SQL injection payloads after implementing fixes - should return no data or proper error handling without SQL execution.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in search parameters
Database error messages containing SQL fragments
Multiple failed login attempts via search functionality

Network Indicators:

HTTP requests with SQL keywords in searchTxt parameter
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND (searchTxt CONTAINS "UNION" OR searchTxt CONTAINS "SELECT" OR searchTxt CONTAINS "OR '1'='1")

📊 Metadata

CVE ID: CVE-2025-8929

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: August 13, 2025

Last Updated: August 14, 2025

🔗 References

https://code-projects.org/ Product
https://vuldb.com/?ctiid.319888 Permissions Required,VDB Entry
https://vuldb.com/?id.319888 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.631662 Third Party Advisory,VDB Entry
https://www.yuque.com/gongzi-jsnek/xb2q3a/peapz0yqgga5b3q2#vulnerability-details-and-poc Exploit,Third Party Advisory
https://www.yuque.com/gongzi-jsnek/xb2q3a/peapz0yqgga5b3q2?singleDoc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8929, you might also want to check these: