CVE-2025-46179
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-06-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vishalmathur | cloudclassroom-php_project | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-46179 is a SQL Injection vulnerability in the askquery.php file of CloudClassroom-PHP v1.0. It occurs because the 'queryx' parameter accepts unsanitized user input that is directly included in backend SQL queries without validation or parameterization. This allows attackers to manipulate the SQL queries executed by the application, potentially retrieving, modifying, or deleting sensitive data, bypassing authentication, or causing other harmful effects. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to remotely execute arbitrary SQL commands on the database. Impacts include unauthorized access to sensitive data such as passwords and personal information, data exfiltration or modification, privilege escalation, denial-of-service attacks, and potentially executing code on the underlying server depending on the database configuration. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL Injection vulnerability can be detected by submitting test payloads to the vulnerable parameter (queryx in askquery.php) and observing the application's response. Common detection payloads include single quotes ('), Boolean conditions like OR 1=1, time-delay triggers, and out-of-band payloads. For example, a time-based blind SQL Injection test payload is: `5550'XOR(555*if(now()=sysdate(),sleep(6),0))XOR'Z` which causes a delay in the server response if vulnerable. Automated tools like Burp Suite Scanner can also be used to identify such vulnerabilities efficiently. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing prepared statements with parameterized queries to prevent unsanitized input from altering SQL query structure, validating and sanitizing all user inputs, and applying least privilege principles to database user accounts to limit potential damage. Additionally, integrating automated code scanning into CI/CD pipelines can help detect such vulnerabilities early in development. [2, 1]