CVE-2025-1189
Published: 12 February 2025
Summary
CVE-2025-1189 is a medium-severity Injection (CWE-74) vulnerability in 1000Projects Attendance Tracking Management System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SQL injection by requiring validation of the course_id parameter at input points to prevent malicious SQL code execution.
Requires identification, reporting, and correction of the specific SQL injection flaw in /admin/chart1.php to eliminate the vulnerability.
Boundary protection mechanisms like web application firewalls inspect and block SQL injection attempts on the course_id parameter in remote requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing web application (/admin/chart1.php) enables exploitation for initial access (T1190) and arbitrary database queries for data collection (T1213.006).
NVD Description
A vulnerability, which was classified as critical, was found in 1000 Projects Attendance Tracking Management System 1.0. This affects an unknown part of the file /admin/chart1.php. The manipulation of the argument course_id leads to sql injection. It is possible to…
more
initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-1189 is a critical SQL injection vulnerability in the 1000 Projects Attendance Tracking Management System version 1.0. The flaw affects an unknown functionality within the /admin/chart1.php file, where manipulation of the course_id argument enables SQL injection. Published on 2025-02-12T10:15:14.540, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-74 and CWE-89.
The vulnerability is exploitable remotely by authenticated attackers with low privileges, requiring low complexity and no user interaction. Successful exploitation grants limited access to confidential data, enables minor modifications to system integrity, and allows low-level denial of service, potentially compromising attendance tracking data or related administrative functions.
Advisories from VulDB (ctiid.295095, id.295095, submit.496452) and a GitHub repository detail the issue, while the vendor site at 1000projects.org provides context on the software. The exploit has been publicly disclosed and may be actively used by attackers. No specific patches or mitigations are outlined in the initial disclosure.
Details
- CWE(s)