CVE-2025-3039
Published: 31 March 2025
Summary
CVE-2025-3039 is a medium-severity Injection (CWE-74) vulnerability in Fabian Payroll Management System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like lname and fname parameters in /add_employee.php.
SI-2 ensures timely flaw remediation, including patching the specific SQL injection vulnerability in Payroll Management System 1.0.
RA-5 uses vulnerability scanning to identify and prioritize SQL injection flaws like CVE-2025-3039 in web applications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/add_employee.php) enables exploitation of public-facing applications (T1190) and abuse of server software components (T1505) for unauthorized database access.
NVD Description
A vulnerability was found in code-projects Payroll Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /add_employee.php. The manipulation of the argument lname/fname leads to sql injection. It is possible to launch…
more
the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Deeper analysisAI
CVE-2025-3039 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Payroll Management System 1.0. The flaw affects an unknown function within the file /add_employee.php, where manipulation of the lname and fname arguments enables the injection. Other parameters may also be vulnerable. Published on 2025-03-31, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability with low complexity and no user interaction required. Exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized access, modification, or disruption of database operations via SQL injection.
Advisories and details are documented on VulDB (ctiid.302100, id.302100, submit.524676), the project site at code-projects.org, and a GitHub repository at xuzhuojia22/cve. The exploit has been publicly disclosed and may be used by attackers.
The vulnerability's public exploit disclosure increases the risk of real-world exploitation in unpatched instances of Payroll Management System 1.0.
Details
- CWE(s)