CVE-2025-1843
Published: 03 March 2025
Summary
CVE-2025-1843 is a medium-severity Injection (CWE-74) vulnerability in Project Team Tmall Demo. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of untrusted inputs like the orderBy argument to block SQL injection payloads in ProductMapper.java.
Enforces restrictions on information inputs such as limiting orderBy to whitelisted values, preventing malicious SQL injection exploitation.
Requires identification, prioritization, and remediation of flaws like this SQL injection vulnerability through patching or code hardening.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing web application (Mini-Tmall ProductMapper.java orderBy parameter) enables exploitation of public-facing application (T1190). VulDB explicitly maps to server software component abuse (T1505).
NVD Description
A vulnerability, which was classified as critical, has been found in Mini-Tmall up to 20250211. This issue affects the function select of the file com/xq/tmall/dao/ProductMapper.java. The manipulation of the argument orderBy leads to sql injection. The attack may be initiated…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1843 is a SQL injection vulnerability (CWE-74, CWE-89) in Mini-Tmall versions up to 20250211. The issue affects the select function in the file com/xq/tmall/dao/ProductMapper.java, where manipulation of the orderBy argument enables SQL injection. Published on 2025-03-03, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), though described as critical in initial reports.
The vulnerability allows remote exploitation by low-privileged users (PR:L) with low attack complexity and no user interaction required. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads.
VulDB advisories (ctiid.298109, id.298109) and related submissions document the issue, with a public proof-of-concept exploit disclosed on GitHub (qkdjksfkeg/cve_article/Tmall_demo/SQL%20injection.md). The vendor was contacted early but provided no response, and no patches or official mitigations are referenced.
The exploit has been publicly disclosed and may be used in attacks, increasing risk for unpatched Mini-Tmall deployments.
Details
- CWE(s)