CVE Alert: CVE-2025-10811 - code-projects - Hostel Management System

CVE-2025-10811

HIGHNo exploitation known

A flaw has been found in code-projects Hostel Management System 1.0. This affects an unknown function of the file /justines/admin/mod_comments/index.php?view=view. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.

CVSS v3.1 (7.3)

Vendor

code-projects

Product

Hostel Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-22T19:02:06.681Z

Updated

2025-09-22T19:02:06.681Z

References

https://vuldb.com/?id.325169

https://vuldb.com/?ctiid.325169

https://vuldb.com/?submit.654436

https://github.com/yihaofuweng/cve/issues/27

https://code-projects.org/

AI Summary Analysis

Risk verdict

High risk: remote SQL injection with a publicly disclosed exploit; exploitation is plausible without authentication.

Why this matters

Direct access to the vulnerable endpoint can reveal, modify or exfiltrate sensitive data, potentially including resident information. The attacker’s goal may be data theft, integrity disruption or escalation of access, with low barriers due to network exposure and no user interaction required.

Most likely attack path

An unauthenticated, remote attacker sends crafted input to the vulnerable parameter to trigger a union/select or other SQLi. With no required privileges and network-based access, successful exploitation can leak or alter data and potentially compromise adjacent systems through standard DB permissions. Lateral movement depends on DB privileges; the initial gain is data-focused rather than full system takeover.

Who is most exposed

Web applications hosting admin or mod_comments functionality on internet-facing hosts, commonly deployed on small/medium organisations using off-the-shelf stacks (LAMP/Windows stacks with web interfaces). Publicly accessible admin endpoints are the primary exposure.

Detection ideas

Web server/database error logs showing SQL syntax errors from the ID parameter.
Unusual query patterns or UNION/SELECT attempts in access logs.
WAF/IPS alerts for SQL injection signatures targeting the vulnerable endpoint.
Spike in data transfer or abnormal DB query load from the web server.
Audit logs showing unexpected modifications to sensitive tables.

Mitigation and prioritisation

Apply vendor patch or upgrade to fixed version; verify advisory and test in staging.
If patch is not available yet, implement compensating controls: parameterised queries, input validation/sanitisation, and disable dynamic SQL in the affected module.
Restrict external access to the admin endpoints; enforce strong authentication and least privilege.
Deploy targeted WAF/IPS rules to block common SQLi payloads and monitor for suspicious activity.
Enable detailed logging and rapid incident response; review database user permissions and activity.
If KEV true or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: code-projects, CVE, cve-2025-10811, hostel-management-system, OSINT, threatintel