CVE-2025-8930 – This SQL injection vulnerability in Medical Sto... (How to Fix)

Q: What is the severity of CVE-2025-8930?

CVE-2025-8930 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in Medical Store Management System 1.0 allows attackers to execute arbitrary SQL commands via the companyNameTxt parameter on the Update Company page. Attackers can potentially access, modify, or delete database content including sensitive medical store data. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in Medical Store Management System 1.0 allows attackers to execute arbitrary SQL commands via the companyNameTxt parameter on the Update Company page. Attackers can potentially access, modify, or delete database content including sensitive medical store data. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

Medical Store Management System

Versions: 1.0

Operating Systems: Any OS running the application

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of version 1.0 are vulnerable. The vulnerability exists in UpdateCompany.java file.

📦 What is this software?

Medical Store Management System by Fabian

View all CVEs affecting Medical Store Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE escalation.

🟠

Likely Case

Unauthorized data access and modification of medical records, inventory data, and user credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication, making internet-facing instances immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available on vuldb.com and yuque.com. Remote exploitation without authentication confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Implement proper input validation and use parameterized queries/prepared statements in UpdateCompany.java

Modify UpdateCompany.java to use PreparedStatement instead of concatenated SQL strings

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious requests

🧯 If You Can't Patch

Isolate the system behind a firewall with strict network access controls
Implement database user with minimal required permissions (principle of least privilege)

🔍 How to Verify

Check if Vulnerable:

Check if Medical Store Management System version 1.0 is installed and if UpdateCompany.java contains raw SQL concatenation with companyNameTxt parameter

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that UpdateCompany.java uses parameterized queries and proper input validation

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts or SQL injection patterns in access logs

Network Indicators:

HTTP requests with SQL injection payloads in companyNameTxt parameter
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (uri="*UpdateCompany*" AND (param="*companyNameTxt*" AND value="*' OR *"))

📊 Metadata

CVE ID: CVE-2025-8930

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: August 14, 2025

Last Updated: August 14, 2025

🔗 References

https://code-projects.org/ Product
https://vuldb.com/?ctiid.319889 Permissions Required,VDB Entry
https://vuldb.com/?id.319889 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.631663 Third Party Advisory,VDB Entry
https://www.yuque.com/gongzi-jsnek/xb2q3a/uv3gmxc8tpmbg4vw#vulnerability-details-and-poc Exploit,Third Party Advisory
https://www.yuque.com/gongzi-jsnek/xb2q3a/uv3gmxc8tpmbg4vw?singleDoc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8930, you might also want to check these: