CVE-2025-0946
Published: 01 February 2025
Summary
CVE-2025-0946 is a medium-severity Injection (CWE-74) vulnerability in Angeljudesuarez Tailoring Management System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing the 'id' argument in templatedelete.php against malicious SQL payloads.
Requires timely patching or code remediation of the specific SQL injection flaw in Tailoring Management System 1.0.
Identifies SQL injection vulnerabilities like CVE-2025-0946 through automated vulnerability scanning of web applications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing PHP web application (templatedelete.php and others) enables exploitation of public-facing applications (T1190) and unauthorized database access for data collection (T1213.006), as demonstrated by sqlmap dumping database information.
NVD Description
A vulnerability classified as critical was found in itsourcecode Tailoring Management System 1.0. Affected by this vulnerability is an unknown functionality of the file templatedelete.php. The manipulation of the argument id leads to sql injection. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0946 is a critical SQL injection vulnerability (CWE-74, CWE-89) in the itsourcecode Tailoring Management System version 1.0. The flaw affects an unknown functionality within the templatedelete.php file, where manipulation of the 'id' argument triggers the injection.
The vulnerability enables remote exploitation by low-privileged users (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, score 6.3). Attackers can launch the exploit to perform SQL injection, potentially compromising data confidentiality, integrity, and availability to a limited extent.
VulDB advisories (ctiid.294301, id.294301) document the issue, while a proof-of-concept exploit is publicly disclosed on GitHub at magic2353112890/cve/issues/7. The vendor site is itsourcecode.com, published on 2025-02-01.
The exploit has been disclosed to the public and may be used.
Details
- CWE(s)