CVE-2025-2659
Published: 23 March 2025
Summary
CVE-2025-2659 is a high-severity Injection (CWE-74) vulnerability in Projectworlds Online Time Table Generator. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection in /student/index.php by enforcing input validation and error handling for parameters like 'e' to neutralize special SQL elements.
SI-2 requires timely identification, prioritization, and remediation of flaws such as this SQL injection vulnerability through patching the affected application.
RA-5 mandates vulnerability scanning to detect SQL injection issues like CVE-2025-2659 in web applications and initiate remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the unauthenticated /student/index.php endpoint of the public-facing web application enables exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases (T1213.006) via injected SQL queries, as demonstrated by sqlmap extraction of database information.
NVD Description
A vulnerability, which was classified as critical, was found in Project Worlds Online Time Table Generator 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument e leads to sql injection. It is possible to…
more
initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2659 is a critical SQL injection vulnerability affecting Project Worlds Online Time Table Generator version 1.0. The flaw exists in an unknown part of the file /student/index.php, where manipulation of the argument "e" enables the injection. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit the vulnerability. By crafting malicious input for the "e" parameter, they can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality (e.g., data disclosure), integrity (e.g., data modification), and availability (e.g., denial of service).
Advisories referenced in VulDB entries (ctiid.300675, id.300675, submit.520482) and a GitHub issue (ydnd/cve/issues/7) confirm the vulnerability details and note that the exploit has been publicly disclosed, making it available for potential use by attackers. No patches or specific mitigations are mentioned in the provided references.
Details
- CWE(s)