Overview
CVE-2025-13121 is a high-severity SQL Injection vulnerability discovered in cameasy LikeTea version 1.0.0. This vulnerability resides within the list function of the laravel/app/Http/Controllers/Front/StoreController.php file, specifically affecting the API Endpoint component. Successful exploitation allows remote attackers to inject arbitrary SQL commands, potentially leading to data breaches, modification, or denial of service. This vulnerability has been publicly disclosed and actively exploited.
Technical Details
The vulnerability stems from improper sanitization of user-supplied input passed through the lng and lat arguments to the list function within the StoreController.php file. An attacker can inject malicious SQL code within these parameters. The lack of input validation allows the injected SQL code to be executed directly against the database server.
The vulnerable code resides in:
laravel/app/Http/Controllers/Front/StoreController.phpSpecifically, the function list is susceptible to SQL injection via the lng and lat parameters.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13121 is 7.3, indicating a HIGH severity vulnerability.
- CVSS Score: 7.3
- Vector String: (This would be based on the exact CVSS vector, but is omitted since we don’t have that)
- Impact: Compromised data confidentiality, integrity, and availability.
Possible Impact
Exploitation of this SQL Injection vulnerability can have severe consequences, including:
- Data Breach: Attackers can gain unauthorized access to sensitive data stored in the database, such as user credentials, personal information, and financial records.
- Data Modification: Attackers can modify or delete critical data, leading to data corruption and business disruption.
- Account Takeover: By manipulating database records, attackers can potentially gain control of user accounts.
- Denial of Service (DoS): Attackers can execute SQL queries that overload the database server, leading to a denial of service for legitimate users.
- Remote Code Execution (Potentially): In some database configurations, SQL injection can be leveraged to execute arbitrary code on the server.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-13121, the following steps are recommended:
- Update LikeTea: The most effective solution is to update LikeTea to a patched version that addresses this vulnerability. Check the official Cameasy website or vendor resources for updates.
- Input Validation: Implement robust input validation and sanitization for all user-supplied input, especially the
lngandlatparameters in theStoreController.phpfile. Use parameterized queries or prepared statements to prevent SQL injection. - Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) with rulesets designed to detect and block SQL injection attempts. Ensure the WAF is properly configured and updated with the latest signatures.
- Least Privilege Principle: Ensure that the database user account used by the application has the minimum necessary privileges to perform its required tasks.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities in the application.
