CVE-2025-14897
BaseFortify
Publication date: 2025-12-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codeastro | real_estate_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection flaw in the CodeAstro Real Estate Management System version 1.0, specifically in the administrator endpoint file /admin/useragentdelete.php. It occurs because the system improperly handles externally influenced input used in SQL commands without adequate neutralization, allowing an attacker to manipulate the SQL query. This can be exploited remotely by an attacker with some level of authentication to execute arbitrary SQL commands. [2, 3]
How can this vulnerability impact me? :
The vulnerability can impact you by compromising the confidentiality, integrity, and availability of the system. An attacker can read arbitrary data from the user database table or delete unintended rows, potentially leading to data leakage, data loss, or unauthorized data manipulation. Since the attack can be initiated remotely, it poses a significant risk to the system's security. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by identifying the presence of the vulnerable endpoint `/admin/useragentdelete.php` on your system. One method is to use Google dorking with the query `inurl:admin/useragentdelete.php` to find exposed instances. Additionally, monitoring for unusual SQL query patterns or unexpected database behavior related to this endpoint may help detect exploitation attempts. Specific commands are not provided, but searching web server logs for requests to `/admin/useragentdelete.php` with suspicious parameters could be useful. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the `/admin/useragentdelete.php` endpoint to trusted administrators only, applying strict input validation and sanitization on all inputs to this endpoint, and monitoring for exploitation attempts. Since no known vendor fixes or countermeasures are reported, replacing the affected product or disabling the vulnerable functionality is recommended until a patch is available. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized SQL injection attacks that can compromise the confidentiality, integrity, and availability of sensitive data within the system. Such data breaches or unauthorized data manipulation could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. However, no explicit mention of compliance impact or regulatory considerations is provided in the available resources. [2, 3]