Login Sign Up

CVE-2025-9765

7.3 HIGH
SQL Injection

📋 TL;DR

CVE-2025-9765 is an SQL injection vulnerability in itsourcecode Sports Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /Admin/tournament_details.php. This affects all organizations using this specific software version. The vulnerability can lead to data theft, modification, or deletion.

💻 Affected Systems

Products:
  • itsourcecode Sports Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web application component specifically at /Admin/tournament_details.php endpoint.

📦 What is this software?

Sports Management System by Angeljudesuarez

View all CVEs affecting Sports Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, deletion, or potential server takeover via SQL injection chaining.

🟠

Likely Case

Unauthorized access to sensitive sports management data (athlete records, tournament details, financial information), data manipulation, or denial of service.

🟢

If Mitigated

Limited impact if proper input validation, parameterized queries, and WAF rules are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for the ID parameter to only accept expected values (integers).

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns targeting the /Admin/tournament_details.php endpoint.

🧯 If You Can't Patch

  • Isolate the Sports Management System behind a reverse proxy with strict input filtering
  • Implement network segmentation to limit database access from the application server only

🔍 How to Verify

Check if Vulnerable:

Test the /Admin/tournament_details.php endpoint with SQL injection payloads in the ID parameter (e.g., ID=1' OR '1'='1).

Check Version:

Check the software version in the application interface or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error messages or are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts or parameter manipulation attempts to /Admin/tournament_details.php

Network Indicators:

  • SQL injection patterns in HTTP requests to the vulnerable endpoint
  • Unusual database query patterns from the application server

SIEM Query:

source="web_logs" AND uri="/Admin/tournament_details.php" AND (query CONTAINS "'" OR query CONTAINS "OR" OR query CONTAINS "UNION")

📊 Metadata

CVE ID: CVE-2025-9765
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.03% exploit probability (7.4th percentile)
Published: September 1, 2025
Last Updated: September 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9765, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)