CVE-2025-0698
Published: 24 January 2025
Summary
CVE-2025-0698 is a medium-severity Injection (CWE-74) vulnerability in Joeybling Bootplus. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of the SQL injection flaw in the bootplus /admin/sys/menu/list function up to the affected commit.
Prevents SQL injection exploitation by validating and sanitizing the user-supplied sort/order parameters before incorporation into SQL queries.
Facilitates detection of the SQL injection vulnerability through regular automated scanning, especially given its low complexity and public exploit availability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely reachable admin web endpoint directly enables exploitation of a public-facing application.
NVD Description
A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been classified as critical. Affected is an unknown function of the file /admin/sys/menu/list. The manipulation of the argument sort/order leads to sql injection. It is possible to launch…
more
the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
Deeper analysisAI
CVE-2025-0698 is a SQL injection vulnerability (classified under CWE-74 and CWE-89) in JoeyBling bootplus up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The flaw affects an unknown function in the file /admin/sys/menu/list, where manipulation of the sort/order arguments enables SQL injection.
The vulnerability is exploitable remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low complexity (AV:N/AC:L/UI:N). Per its CVSS v3.1 base score of 6.3 (C:L/I:L/A:L/S:U), exploitation can result in limited impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed and may be used.
Advisories, including GitHub issues #19 and #19#issue-2786879797 in the bootplus repository as well as VulDB entries, provide details on the issue. The project employs continuous delivery with rolling releases, so no specific affected or patched versions are available; security practitioners should monitor the repository for updates beyond the referenced commit.
Details
- CWE(s)