Cyber Resilience

CVE-2025-0536

MediumPublic PoC

Published: 17 January 2025

Published
17 January 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 35.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0536 is a medium-severity Injection (CWE-74) vulnerability in 1000Projects Attendance Tracking Management System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0536 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting the 1000 Projects Attendance Tracking Management System version 1.0. The flaw exists in unknown code within the file /admin/edit_action.php, where manipulation of the attendance_id argument enables SQL code injection. Published on 2025-01-17, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads.

Advisories and details are documented on VulDB (ctiid.292420, id.292420, submit.479251), with a proof-of-concept exploit disclosed publicly on GitHub at lan041221/cve/blob/main/Attendance_Tracking_Management_System_SQL_Injection.md. The project website is available at https://1000projects.org/. No specific patch or mitigation guidance is detailed in the referenced sources.

EU & UK References

Vulnerability details

A vulnerability classified as critical was found in 1000 Projects Attendance Tracking Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_action.php. The manipulation of the argument attendance_id leads to sql injection. The attack can be initiated remotely.…

more

The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SQL injection in public-facing web app (/admin/edit_action.php) enables exploitation (T1190), unauthorized database queries for data collection (T1213.006), and data tampering/deletion (T1565.001), impacting confidentiality, integrity, and availability.

CVEs Like This One

CVE-2025-1189Same product: 1000Projects Attendance Tracking Management System
CVE-2025-0847Same vendor: 1000Projects
CVE-2025-7466Same vendor: 1000Projects
CVE-2025-0534Same vendor: 1000Projects
CVE-2025-0533Same vendor: 1000Projects
CVE-2025-1172Same vendor: 1000Projects
CVE-2025-0846Same vendor: 1000Projects
CVE-2025-1173Same vendor: 1000Projects
CVE-2025-7173Shared CWE-74, CWE-89
CVE-2025-1894Shared CWE-74, CWE-89

Affected Assets

1000projects
attendance tracking management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating the attendance_id parameter against expected formats and rejecting malicious SQL payloads.

prevent

Restricts the attendance_id input to authorized types and lengths, such as integers only, blocking SQL injection attempts.

prevent

Requires timely remediation of the specific SQL injection flaw in /admin/edit_action.php through patching and verification.

References