CVE-2025-14899
BaseFortify
Publication date: 2025-12-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codeastro | real_estate_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14899 is a SQL injection vulnerability in CodeAstro Real Estate Management System version 1.0, specifically in the Administrator Endpoint file /admin/stateadd.php. It occurs due to improper handling of user input used in SQL commands, allowing an attacker with some level of authentication to remotely manipulate SQL queries. This can lead to unauthorized access or modification of the database. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to compromise the confidentiality, integrity, and availability of your system's data. An attacker can remotely manipulate SQL queries to access or modify sensitive information in the database, potentially leading to data breaches, unauthorized data changes, or disruption of service. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying access attempts to the vulnerable endpoint /admin/stateadd.php, especially with suspicious or crafted input that may indicate SQL injection attempts. One method is to use Google dorking with the query inurl:admin/stateadd.php to find exposed instances. On your system, monitoring web server logs for requests to /admin/stateadd.php with unusual parameters or SQL syntax can help detect exploitation attempts. Additionally, using tools like sqlmap against the endpoint can confirm the presence of SQL injection. Example commands include: 1) grep '/admin/stateadd.php' /var/log/apache2/access.log 2) sqlmap -u "http://target/admin/stateadd.php" --data="<POST data>" --risk=3 --level=5 3) Using curl to test injection: curl -X POST -d "param=' OR '1'='1" http://target/admin/stateadd.php [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /admin/stateadd.php endpoint to trusted administrators only, applying strict input validation and sanitization on all inputs to this endpoint, and monitoring for suspicious activity. Since no known countermeasures or patches are currently available, replacing or upgrading the affected component or product is recommended. Additionally, disabling or limiting the administrator endpoint until a fix is applied can reduce risk. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this SQL injection vulnerability in CodeAstro Real Estate Management System affects compliance with common standards and regulations such as GDPR or HIPAA.