CVE-2025-0701
Published: 24 January 2025
Summary
CVE-2025-0701 is a medium-severity Injection (CWE-74) vulnerability in Joeybling Bootplus. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the specific SQL injection flaw in the bootplus /admin/sys/user/list endpoint via patches or updates to latest commits.
Enforces validation and sanitization of the 'sort' argument to neutralize SQL injection payloads before they reach database queries.
Restricts the 'sort' parameter to whitelisted values, blocking unauthorized SQL injection attempts through input limitations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in a web admin endpoint enables exploitation of public-facing applications.
NVD Description
A vulnerability classified as critical has been found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. This affects an unknown part of the file /admin/sys/user/list. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack…
more
remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
Deeper analysisAI
CVE-2025-0701 is a critical SQL injection vulnerability in the JoeyBling bootplus project, affecting an unknown part of the /admin/sys/user/list file up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The flaw stems from manipulation of the "sort" argument, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It was published on 2025-01-24 and carries a CVSS v3.1 base score of 6.3.
An attacker can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N), without changing scope (S:U). Successful exploitation enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing unauthorized data access, modification, or disruption via injected SQL queries.
Advisories on VulDB (ctiid.293229, id.293229) and GitHub (JoeyBling/bootplus issues #23 and #2786909921) confirm the remote exploitability and note that it has been publicly disclosed and may be used. The project follows a rolling release model for continuous delivery, so no specific versions for affected or updated releases are provided; security practitioners should update to the latest commits for mitigation.
Details
- CWE(s)