Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13248, has been discovered in SourceCodester’s Patients Waiting Area Queue Management System version 1.0. This flaw allows a remote attacker to execute arbitrary SQL commands, potentially compromising sensitive patient data and system integrity. The vulnerability has been publicly disclosed, increasing the risk of exploitation. Technical Details The vulnerability resides in the /php/api_patient_schedule.php file within the application. Specifically, the appointmentID parameter is susceptible to SQL injection. By manipulating this parameter, an attacker can inject malicious SQL code into the database query, potentially allowing them to: Read sensitive data, including patient information, appointments, and…
-
-
Overview A significant security vulnerability, identified as CVE-2025-13247, has been discovered in PHPGurukul Tourism Management System version 1.0. This vulnerability is a SQL Injection flaw affecting the /admin/user-bookings.php file. Specifically, the uid argument is susceptible to malicious manipulation, allowing attackers to execute arbitrary SQL commands. This vulnerability can be exploited remotely, and proof-of-concept exploits are publicly available, increasing the risk of active exploitation. Technical Details The vulnerability resides in the /admin/user-bookings.php file within the PHPGurukul Tourism Management System 1.0. The application fails to properly sanitize or validate user-supplied input provided through the uid parameter when querying the database. This lack…
-
Overview CVE-2025-13246 is a medium-severity path traversal vulnerability discovered in shsuishang’s ShopSuite ModulithShop. This vulnerability allows a remote attacker to potentially access sensitive files or directories on the server. The affected component resides within the JwtAuthenticationFilter class, posing a significant risk to the application’s security. Technical Details The vulnerability exists within the JwtAuthenticationFilter function located in the src/main/java/com/suisung/shopsuite/common/security/JwtAuthenticationFilter.java file of the ShopSuite ModulithShop application. By manipulating the input to this function, an attacker can bypass intended security checks and access files or directories outside of the permitted scope. The vulnerability has been confirmed in versions up to commit 45a99398cec3b7ad7ff9383694f0b53339f2d35a. A…
-
Overview CVE-2025-13245 describes a Cross-Site Scripting (XSS) vulnerability identified in the Code-Projects Student Information System version 2.0. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user data or system integrity. The vulnerable component resides within the /editprofile.php file. Technical Details The vulnerability exists due to insufficient input sanitization within the /editprofile.php file. An attacker can exploit this by crafting a malicious URL or form submission that injects JavaScript code. When a user interacts with the affected page, the injected script will execute in their browser, potentially allowing the attacker to steal cookies, redirect the…
-
Overview CVE-2025-13244 is a medium severity Cross-Site Scripting (XSS) vulnerability found in Student Information System version 2.0, a project by code-projects.org. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability exists in the /register.php file and can be exploited remotely. Public exploit code is available, increasing the risk of active exploitation. Technical Details The vulnerability resides within the /register.php file, specifically in an unidentified function handling user input during the registration process. Improper sanitization of user-supplied data allows an attacker to inject malicious JavaScript code. This injected code…
-
Overview A medium severity SQL Injection vulnerability, identified as CVE-2025-13243, has been discovered in code-projects Student Information System 2.0. This vulnerability could allow a remote attacker to execute arbitrary SQL commands, potentially leading to data breaches, modification of data, or unauthorized access. This article provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation strategies. Technical Details The vulnerability resides in the /editprofile.php file of the Student Information System 2.0. Specifically, an unknown function within this file is susceptible to SQL Injection. An attacker can manipulate input parameters to inject malicious SQL code. The exploit is publicly…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13242, has been discovered in code-projects Student Information System version 2.0. This vulnerability allows remote attackers to execute arbitrary SQL commands, potentially leading to data breaches, system compromise, and unauthorized access to sensitive student information. Technical Details The vulnerability exists in the /register.php file of the Student Information System. An attacker can manipulate input parameters during the registration process to inject malicious SQL code. Due to insufficient input sanitization, the injected SQL code is then executed by the database server. The exploit is publicly available, increasing the risk of widespread exploitation. CVSS…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13241, has been discovered in code-projects Student Information System 2.0. This flaw allows a remote attacker to execute arbitrary SQL queries by manipulating the Username argument in the /index.php file. This vulnerability poses a significant risk to the confidentiality, integrity, and availability of the affected system. Technical Details The vulnerability lies in the insufficient sanitization of user-supplied input in the Username parameter of the /index.php file. An attacker can inject malicious SQL code into this parameter, which is then executed directly against the database. This can allow the attacker to bypass authentication,…
-
Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13240, has been discovered in the code-projects Student Information System 2.0. This vulnerability allows remote attackers to execute arbitrary SQL commands by manipulating the ‘s’ argument in the /searchquery.php file. With a CVSS score of 7.3, this vulnerability poses a significant risk to systems running the affected software. An exploit is publicly available, increasing the urgency for immediate mitigation. Technical Details The vulnerability resides in the /searchquery.php file of the Student Information System 2.0. Specifically, the application fails to properly sanitize user-supplied input to the ‘s’ parameter. An attacker can craft a…
-
Overview CVE-2025-13239 details a medium severity security vulnerability found in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution version 5. This vulnerability allows for remote exploitation, potentially leading to a disruption of expected behavioral workflows during the checkout process. The vendor has been notified but has not responded to the disclosure. Technical Details The vulnerability resides within the /submit_checkout file. Specifically, the order_total_amount and/or cart_total_amount arguments can be manipulated to influence the checkout workflow. An attacker can remotely manipulate these values, leading to unintended consequences in the ordering and payment process. The exact nature of the unintended consequences is not…