CVE-2025-0843
Published: 29 January 2025
Summary
CVE-2025-0843 is a high-severity Injection (CWE-74) vulnerability in Needyamin Library Card System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing email and password inputs to the admindashboard.php function before SQL query construction.
Remediates the specific SQL injection flaw in the Library Card System's admin panel through timely patching or code correction.
Detects the SQL injection vulnerability via automated scanning tools and enables proactive remediation to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing admin panel (admindashboard.php) enables exploitation of public-facing web applications (T1190) and abuse of server software components (T1505), as explicitly mapped in the advisory; facilitates unauthorized DB access, data breaches, and potential web shell deployment.
NVD Description
A vulnerability was found in needyamin Library Card System 1.0. It has been classified as critical. Affected is an unknown function of the file admindashboard.php of the component Admin Panel. The manipulation of the argument email/password leads to sql injection.…
more
It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0843 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) in the needyamin Library Card System version 1.0. The flaw resides in an unknown function within the file admindashboard.php of the Admin Panel component. It enables attackers to manipulate the email and password arguments to inject malicious SQL code.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized access such as admin login bypass.
Advisories from VulDB (https://vuldb.com/?ctiid.294000, https://vuldb.com/?id.294000, https://vuldb.com/?submit.485553) and a security blog (https://www.websecurityinsights.my.id/2025/01/library-card-system-admin-login-bypass.html?m=1) provide details on the issue, but no specific patches or mitigations are mentioned in the disclosure.
The exploit has been publicly disclosed, making it available for potential use by attackers.
Details
- CWE(s)