CVE Alert: CVE-2025-10813 - code-projects - Hostel Management System

CVE-2025-10813

HIGHNo exploitation knownPoC observed

A vulnerability was found in code-projects Hostel Management System 1.0. Affected is an unknown function of the file /justines/admin/mod_reports/index.php. The manipulation of the argument Home results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

CVSS v3.1 (7.3)

Vendor

code-projects

Product

Hostel Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-22T20:02:05.881Z

Updated

2025-09-22T20:27:56.750Z

References

https://vuldb.com/?id.325171

https://vuldb.com/?ctiid.325171

https://vuldb.com/?submit.654438

https://github.com/yihaofuweng/cve/issues/29

https://code-projects.org/

AI Summary Analysis

Risk verdict

High risk of remote, unauthenticated SQL injection with a public PoC and automatable exploit, warranting urgent remediation.

Why this matters

Exploitation could lead to exposure or alteration of sensitive resident data and administrative records, undermining trust and regulatory compliance. Even with partial impact, attackers may leverage data access for fraud, inventory manipulation, or further network probing within the hosting environment.

Most likely attack path

Remote, network-based attack against the vulnerable index.php endpoint, without user interaction or privileges. An automated attacker can inject malicious SQL through the Home parameter, enabling data retrieval or modification and potentially consuming resources on the database.

Who is most exposed

Web-hosted hostel/hospitality management installations on common stacks (e.g., LAMP/Windows IIS) with exposed admin interfaces are at highest risk; environments with direct internet access to admin panels and minimal input sanitisation are especially vulnerable.

Detection ideas

Logs show repeated abnormal requests to /justines/admin/mod_reports/index.php with unusual Home values
SQL error messages or database warnings in app or server logs
spikes in slow queries or connection counts to the database during admin report accesses
signature matches or patterns from publicly available PoC payloads
WAF alerts for SQL injection attempts targeting the endpoint

Mitigation and prioritisation

Apply vendor patch or upgrade to a fixed version; if unavailable, implement compensating controls (web application firewall rules, input sanitisation, and query parameterisation)
Convert queries to parameterised statements; enforce strong input validation on Home
Enforce least-privilege DB accounts and segregate admin DB access; disable unnecessary admin functionality if feasible
Harden exposure: restrict access to the admin endpoint by network allowlists, MFA, and rate limiting
Plan a staged remediation within change-control windows; verify fixes in a test environment before production rollout; monitor after deployment for anomalies

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: code-projects, CVE, cve-2025-10813, hostel-management-system, OSINT, threatintel