CVE-2025-0229
Published: 05 January 2025
Summary
CVE-2025-0229 is a medium-severity Injection (CWE-74) vulnerability in Fabian Travel Management System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted inputs like pid/t1-t7 in /enquiry.php to block SQL injection exploitation.
Mandates timely identification, reporting, and correction of the SQL injection flaw in Travel Management System 1.0.
Restricts input parameters to organization-defined types and limits, reducing the attack surface for SQL injection payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection in the public-facing /enquiry.php endpoint enables exploitation of public-facing applications (T1190), abuse of server software components through arbitrary SQL execution (T1505 as noted in advisory), and collection of data from databases via UNION-based queries (T1213.006).
NVD Description
A vulnerability, which was classified as critical, has been found in code-projects Travel Management System 1.0. This issue affects some unknown processing of the file /enquiry.php. The manipulation of the argument pid/t1/t2/t3/t4/t5/t6/t7 leads to sql injection. The attack may be…
more
initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0229 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) affecting code-projects Travel Management System version 1.0. The flaw exists in the processing of the /enquiry.php file, where manipulation of arguments including pid, t1, t2, t3, t4, t5, t6, and t7 enables SQL injection attacks.
The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely by attackers possessing low privileges. Exploitation requires no user interaction and allows limited impacts on confidentiality, integrity, and availability via SQL injection, potentially enabling unauthorized data access, modification, or disruption within the affected application's database.
Advisories from VulDB (ctiid.290225, id.290225, submit.474572) and references including code-projects.org and a GitHub repository (Huandtx/cve/sql1.md) detail the issue, with the exploit publicly disclosed and available for potential use. No specific patches or mitigations are outlined in the provided information.
Details
- CWE(s)