itsourcecode COVID Tracking System, SQL Injection, CVE-2025-13567 (Medium)

By /

Listen to this Post

The vulnerability exists in the itsourcecode COVID Tracking System version 1.0. It involves a SQL injection flaw in the /admin/?page=establishment endpoint. The ID parameter in the GET request is not properly sanitized. Attackers can manipulate this parameter to inject malicious SQL commands. This allows remote execution of arbitrary SQL statements on the backend database. The attack can be launched remotely without authentication. The manipulation of ID leads to injection in the SQL query structure. For example, a payload like ‘ OR ‘1’=’1 could bypass conditions. More complex payloads can extract database schema or user credentials. The vulnerability is due to lack of input validation. The system likely uses concatenated queries without prepared statements. Exploitation can lead to data confidentiality loss. Integrity compromise and potential system takeover are possible. The public availability of exploits increases the risk. The CVSS score of 5.3 indicates medium severity. Impacts include confidentiality, integrity, and availability issues. Organizations should monitor for patches. Temporary mitigations like web application firewalls are advised. The flaw highlights insecure coding practices. Immediate remediation is recommended to prevent attacks.
Platform: itsourcecode COVID System
Version: 1.0
Vulnerability: SQL Injection
Severity: Medium
date: 11/23/2025

Prediction: Patch not released

What Undercode Say:

Analytics

  • sqlmap -u “http://target.com/admin/?page=establishment&ID=1” –dbs
  • curl “http://target.com/admin/?page=establishment&ID=1′ AND ‘1’=’2”
  • grep “establishment” source_code.php

How Exploit

  • Identify vulnerable parameter ID.
  • Craft union-based SQL payloads.
  • Extract database information remotely.

Protection from this CVE

  • Use parameterized queries.
  • Implement input validation.
  • Apply web application firewall.

Impact

  • Data breach risk.
  • Unauthorized admin access.
  • System compromise potential.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top