CVE-2025-0536

MediumPublic PoC

Published: 17 January 2025

Published

17 January 2025

Modified

25 February 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 29.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0536 is a medium-severity Injection (CWE-74) vulnerability in 1000Projects Attendance Tracking Management System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating the attendance_id parameter against expected formats and rejecting malicious SQL payloads.

SI-9 Information Input Restrictions good match

prevent

Restricts the attendance_id input to authorized types and lengths, such as integers only, blocking SQL injection attempts.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific SQL injection flaw in /admin/edit_action.php through patching and verification.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web app (/admin/edit_action.php) enables exploitation (T1190), unauthorized database queries for data collection (T1213.006), and data tampering/deletion (T1565.001), impacting confidentiality, integrity, and availability.

NVD Description

A vulnerability classified as critical was found in 1000 Projects Attendance Tracking Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_action.php. The manipulation of the argument attendance_id leads to sql injection. The attack can be initiated remotely.…

The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-0536 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting the 1000 Projects Attendance Tracking Management System version 1.0. The flaw exists in unknown code within the file /admin/edit_action.php, where manipulation of the attendance_id argument enables SQL code injection. Published on 2025-01-17, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads.

Advisories and details are documented on VulDB (ctiid.292420, id.292420, submit.479251), with a proof-of-concept exploit disclosed publicly on GitHub at lan041221/cve/blob/main/Attendance_Tracking_Management_System_SQL_Injection.md. The project website is available at https://1000projects.org/. No specific patch or mitigation guidance is detailed in the referenced sources.

Details

CWE(s): CWE-74 CWE-89

Affected Products

1000projects

attendance tracking management system

1.0

CVEs Like This One

CVE-2025-1189Same product: 1000Projects Attendance Tracking Management System

CVE-2025-0847Same vendor: 1000Projects

CVE-2025-7466Same vendor: 1000Projects

CVE-2025-0534Same vendor: 1000Projects

CVE-2025-1172Same vendor: 1000Projects

CVE-2025-0533Same vendor: 1000Projects

CVE-2025-0846Same vendor: 1000Projects

CVE-2025-1173Same vendor: 1000Projects

CVE-2026-0850Shared CWE-74, CWE-89

CVE-2026-3487Shared CWE-74, CWE-89

References

https://1000projects.org/
Product · cna@vuldb.com
https://github.com/lan041221/cve/blob/main/Attendance_Tracking_Management_System_SQL_Injection.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.292420
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.292420
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.479251
Third Party Advisory, VDB Entry · cna@vuldb.com