CVE-2025-14666
BaseFortify
Publication date: 2025-12-14
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| angeljudesuarez | covid_tracking_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14666 is a critical SQL injection vulnerability in the itsourcecode COVID Tracking System 1.0, specifically in the /admin/?page=user endpoint. The vulnerability occurs because the 'username' parameter submitted via a multipart POST request is not properly validated or sanitized, allowing attackers to inject malicious SQL code. This flaw can be exploited remotely without authentication, enabling attackers to manipulate SQL queries directly. A proof-of-concept exploit demonstrates a time-based blind SQL injection attack, confirming the vulnerability. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to perform unauthorized database operations such as accessing sensitive data, modifying or deleting records, gaining full system control, and causing service disruptions. Since no authentication is required, the system is highly vulnerable to remote attacks that can compromise confidentiality, integrity, and availability of the system and its data. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the '/cts/admin/?page=user' endpoint for SQL injection via the 'username' parameter in multipart POST requests. Tools like sqlmap can be used to automate detection. For example, a command using sqlmap might be: sqlmap -u "http://target/cts/admin/?page=user" --data="username=admin&[email protected]&password=pass&id=1&img=" --method=POST --risk=3 --level=5 --technique=BEUSTQ --dbms=MySQL. Additionally, manual testing can involve injecting SQL payloads such as 'admin' OR '1'='1' into the username field and observing responses or delays (e.g., using time-based payloads like SLEEP in MySQL). [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection, enforcing strict input validation and filtering on the 'username' and other input fields, and minimizing database user privileges by avoiding the use of high-privilege accounts for routine operations. Conducting regular security audits to detect and remediate vulnerabilities promptly is also recommended. Since no patches are currently available, these measures are critical to protect system security and data integrity. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive data through SQL injection, which can lead to data breaches and unauthorized modification or deletion of data. Such security weaknesses can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access and ensuring data integrity. Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing sensitive user data and failing to maintain adequate security controls. [1, 2, 3]