CVE-2025-9595
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in code-projects Student Information Management System 1.0. The impacted element is an unknown function of the file /login.php. The manipulation of the argument uname results in cross site scripting. The attack may be performed from a remote location. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-08-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-9595
EUVD
EUVD-2025-26157
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode student_information_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-9595 is a critical SQL injection vulnerability in the Student Information Management System 1.0, specifically in the /login.php file. The vulnerability occurs because the uname parameter is improperly handled and directly included in SQL queries without proper validation or sanitization. This allows attackers to inject malicious SQL code remotely, potentially manipulating database queries to gain unauthorized access or control. [1]


How can this vulnerability impact me? :

This vulnerability can allow attackers to gain unauthorized access to the database, extract sensitive information, modify or delete records, take full control of the system, and disrupt services. Exploiting this flaw requires no authentication, making it highly dangerous and capable of severely compromising system security and business continuity. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the `uname` POST parameter in the `/login.php` file for SQL injection. Automated tools like sqlmap can be used to confirm the vulnerability by enumerating databases via the injection point. Example payloads to test include: `uname=111' RLIKE (SELECT (CASE WHEN (9713=9713) THEN 111 ELSE 0x28 END))-- MsHX` and `uname=111' AND (SELECT 3653 FROM (SELECT(SLEEP(5)))uJnN)-- uFsi`. Using sqlmap, a command might be: `sqlmap -u http://target/login.php --data "uname=111" --risk=3 --level=5` to detect SQL injection. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Implement prepared statements with parameter binding to separate SQL code from user input, preventing SQL injection. 2) Enforce strict input validation and filtering on the `uname` parameter to reject malicious payloads. 3) Minimize database user privileges by avoiding high-privilege accounts for routine operations. 4) Conduct regular security audits and code reviews to detect and fix vulnerabilities promptly. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart