CVE Alert: CVE-2025-11608 - code-projects - E-Banking System

CVE-2025-11608

HIGHNo exploitation known

A security vulnerability has been detected in code-projects E-Banking System 1.0. This affects an unknown function of the file /register.php of the component POST Parameter Handler. The manipulation of the argument username/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

CVSS v3.1 (7.3)

Vendor

code-projects

Product

E-Banking System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-11T17:02:05.989Z

Updated

2025-10-11T17:02:05.989Z

References

https://vuldb.com/?id.327930

https://vuldb.com/?ctiid.327930

https://vuldb.com/?submit.672559

https://github.com/lakshayyverma/CVE-Discovery/blob/main/E-Banking%20System%20SQLi.md

https://code-projects.org/

AI Summary Analysis

Risk verdict: High risk due to remote, unauthenticated SQL injection with a publicly disclosed exploit; treat as a priority.

Why this matters: The register endpoint can leak or corrupt data directly in the database and potentially expose customer information. While overall impacts on other assets may be limited, the ability to reach the DB from the web tier without user interaction broadens attacker goals beyond simple defacement.

Most likely attack path: An attacker targets the POST Parameter Handler via /register.php, supplying crafted inputs in username/password to trigger SQLi. No user interaction or credentials required, enabling data reads/writes and potential partial persistence when DB permissions are lax. Lateral movement is unlikely without additional misconfigurations, but a single foothold could enable broader data exposure from the app’s DB.

Who is most exposed: Internet-facing E-Banking System deployments, particularly on traditional LAMP/WEB stacks or those with weak DB access controls and default permissions. Public exposure increases the window for automated exploitation.

Detection ideas:

Unusual or crafted POST payloads to /register.php.
SQL error messages or database errors in application logs or responses.
WAF/IPS alerts for SQLi patterns on the register endpoint.
Spike patterns of registration attempts with anomalous characters/payloads.
Abnormal DB query activity from the web server.

Mitigation and prioritisation:

Apply vendor patch or upgrade to patched version; verify availability.
Migrate to parameterised queries/prepared statements; remove dynamic SQL.
Enforce strict input validation and canonicalisation on POST fields.
Principle of least privilege: DB user for the web app with restricted rights.
Enable and tune web application firewall rules to block SQLi patterns; implement robust monitoring and alerting.
Change-management: validate fixes in staging before production; consider compensating controls if patching is delayed. If a public exploit is confirmed in your environment, escalate to priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: code-projects, CVE, cve-2025-11608, e-banking-system, OSINT, threatintel