CVE Alert: CVE-2025-10797 – code-projects – Hostel Management System
CVE-2025-10797
A vulnerability was determined in code-projects Hostel Management System 1.0. This issue affects some unknown processing of the file /justines/index.php. This manipulation of the argument log_email causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
AI Summary Analysis
Risk verdict
Urgent: publicly disclosed PoC enables remote, unauthenticated SQL injection, making exploitation feasible via the web interface.
Why this matters
Compromise can lead to leakage or manipulation of customer and reservation data, payment records, and credentials. Attackers can potentially extract sensitive information or alter records, with business disruption from data integrity issues and possible regulatory exposure.
Most likely attack path
Given remote, unauthenticated access (AV:N, UI:N, PR:N) and no user interaction required, an attacker can craft input to the log_email parameter in the web endpoint to trigger SQL injection. The impact targets confidentiality, integrity and availability of the DB (I:L, C:L, A:L). Lateral movement is unlikely without additional footholds, but data exfiltration or tampering within the application’s scope is plausible.
Who is most exposed
Web-facing deployments of small-business hostel management systems (especially version 1.0) running on public networks are most at risk. If exposed via shared hosting or misconfigured internet access, remediation becomes more urgent.
Detection ideas
- Unusual log_email query strings and unusual DB error messages in application logs
- spikes in 500/DB-related errors or slow queries tied to /justines/index.php
- anomalous data access patterns from unauthorised IPs
- repeated injection-like payloads or stack traces in logs
- WAF/IPS alerts for suspicious SQL patterns
Mitigation and prioritisation
- Apply the vendor patch or upgrade to a fixed release; validate in staging before production.
- Enforce parameterised queries and input validation; remove direct string concatenation in SQL.
- Implement least-privilege DB accounts and disable unnecessary remote DB access.
- Deploy or strengthen WAF/IPS rules to block common SQLi payloads; enable detailed DB audit logging.
- Change-management: schedule a rapid patch window, monitor post-deployment, and verify no regressions.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
