CVE-2025-0564
Published: 19 January 2025
Summary
CVE-2025-0564 is a medium-severity Injection (CWE-74) vulnerability in Anisha Fantasy-Cricket. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-0564 is a critical SQL injection vulnerability (CWE-74, CWE-89) discovered in code-projects Fantasy-Cricket version 1.0. The flaw resides in an unknown functionality of the file /authenticate.php, where manipulation of the uname argument enables SQL injection. Published on 2025-01-19, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely over the network with low attack complexity, requiring no privileges, user interaction, or impact on scope. Successful exploitation allows attackers to achieve low-level impacts on confidentiality, integrity, and availability through SQL injection.
Advisories and further details, including submission records, are documented in references such as https://vuldb.com/?ctiid.292525, https://vuldb.com/?id.292525, https://vuldb.com/?submit.484186, https://code-projects.org/, and https://github.com/LiuSir5211314/-sir/issues/3.
The exploit has been disclosed publicly and may be used by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1761
Vulnerability details
A vulnerability was found in code-projects Fantasy-Cricket 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /authenticate.php. The manipulation of the argument uname leads to sql injection. The attack can be…
more
launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application via SQL injection in authenticate.php.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation of the 'uname' argument in /authenticate.php to ensure only valid inputs are processed.
Mandates timely identification, reporting, and correction of the SQL injection flaw in Fantasy-Cricket 1.0, eliminating the vulnerability.
Implements boundary protection such as web application firewalls to monitor and block remote SQL injection payloads targeting /authenticate.php.