CVE-2025-2054
Published: 07 March 2025
Summary
CVE-2025-2054 is a medium-severity Injection (CWE-74) vulnerability in Code-Projects Blood Bank Management System. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Server Software Component (T1505); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation of the state_id input parameter to ensure only acceptable values are processed.
Requires timely identification, reporting, and correction of the SQL injection flaw in /admin/edit_state.php.
Enables vulnerability scanning to identify the SQL injection vulnerability in the Blood Bank Management System.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability enables arbitrary database queries, facilitating execution or command execution via server software components (T1505) and collection from databases (T1213.006) as mapped in advisories.
NVD Description
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/edit_state.php. The manipulation of the argument state_id leads to sql injection. The…
more
attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2054 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Blood Bank Management System 1.0 from code-projects.org. The flaw affects an unknown functionality within the file /admin/edit_state.php, where manipulation of the state_id argument enables SQL injection. The vulnerability carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely.
A remote attacker with high privileges can exploit this vulnerability with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries.
Advisories from VulDB (ctiid.298807, id.298807, submit.514346) and a GitHub repository (intercpt/XSS1/blob/main/SQL6.md) document the issue, with the exploit publicly disclosed and available for use. No specific patches or mitigations are mentioned in the provided details.
Details
- CWE(s)