CVE-2025-70152

code-projects · Community Project Scholars Tracking System

The Community Project Scholars Tracking System 1.0 is susceptible to unauthenticated SQL injection within its administrative user management endpoints.

Executive summary

A critical SQL injection vulnerability in the Community Project Scholars Tracking System allows unauthenticated attackers to execute arbitrary database commands, potentially leading to full system compromise.

Vulnerability

The application fails to perform authentication checks and input sanitization on the /admin/save_user.php and /admin/update_user.php endpoints, allowing unauthenticated attackers to inject malicious SQL queries via POST parameters.

Business impact

Successful exploitation of this vulnerability allows unauthorized actors to manipulate or extract sensitive database information, potentially leading to a complete breach of user credentials and administrative accounts. Given the CVSS score of 9.8, this represents a critical risk that could result in significant data loss, regulatory non-compliance, and severe reputational damage.

Remediation

Immediate Action: Update to the latest version of the Community Project Scholars Tracking System as provided by the vendor to remediate the vulnerable code.

Proactive Monitoring: Review web server access logs for suspicious POST requests targeting save_user.php or update_user.php containing SQL syntax characters.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block common SQL injection patterns and restrict access to the /admin/ directory to trusted internal IP addresses only.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability presents a severe risk due to the lack of authentication and the high impact of SQL injection. Organizations currently running version 1.0 must prioritize applying the latest security updates immediately or restrict network access to the application until a patch is deployed.