Listen to this Post
How the CVE Works
The vulnerability in AssamLook CMS 1.0 resides in /view_tender.php, where improper sanitization of the `ID` parameter allows SQL injection. Attackers can craft malicious SQL queries via this parameter, enabling unauthorized database access, data exfiltration, or manipulation. The flaw is remotely exploitable without authentication, increasing its severity. Publicly disclosed exploits exist, and the vendor has not yet issued a patch despite early notification.
DailyCVE Form
Platform: AssamLook CMS
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 06/16/2025
Prediction: Patch expected by 07/15/2025
What Undercode Say
Analytics:
SELECT FROM tenders WHERE id = '[bash]';
curl -X GET "http://target/view_tender.php?ID=1' OR 1=1--"
Exploit:
- Craft malicious `ID` payloads.
- Execute unauthorized SQL queries.
- Exfiltrate sensitive data.
Protection from this CVE
- Apply input validation.
- Use prepared statements.
- Temporary mitigation: WAF rules.
Impact:
- Full database compromise.
- Unauthorized data access.
- Potential system takeover.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
