CVE Alert: CVE-2025-12929 - SourceCodester - Survey Application System

CVE-2025-12929

HIGHNo exploitation known

A flaw has been found in SourceCodester Survey Application System 1.0. This impacts the function save_user/update_user of the file /LoginRegistration.php. Executing manipulation of the argument fullname can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. Other parameters might be affected as well.

CVSS v3.1 (7.3)

Vendor

SourceCodester

Product

Survey Application System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-11-10T03:32:07.139Z

Updated

2025-11-10T03:32:07.139Z

References

https://vuldb.com/?id.331649

https://vuldb.com/?ctiid.331649

https://vuldb.com/?submit.681746

https://github.com/lakshayyverma/CVE-Discovery/blob/main/Survey%20Application%20System.md

https://www.sourcecodester.com/

AI Summary Analysis

Risk verdict

High risk: remote SQL injection with a publicly disclosed exploit remains active; exploit PoC exists and could lead to rapid compromise.

Why this matters

The flaw enables unauthenticated manipulation of database queries via login/registration flows, risking data leakage, modification or destruction and potential broader system compromise. Given the high impact on confidentiality, integrity and availability, attackers could harvest or alter survey data or pivot to adjacent services.

Most likely attack path

An attacker can trigger the vulnerability over the network by sending crafted input to the fullname parameter (and possibly others) in LoginRegistration.php, without authentication. With PR:N and UI:N, the attack requires no user interaction and can directly affect the database, enabling data exfiltration or tampering and potential lateral movement within the application stack.

Who is most exposed

Internet-facing instances of SourceCodester Survey Application System are most at risk, particularly those deployed on common web stacks (e.g., LAMP) in SMEs or hosting environments where public login/registration pages are exposed without strict input handling.

Detection ideas

Unusual or failed SQL errors visible in application or DB logs.
Anomalous queries originating from loginregistration.php, especially UPDATE/SELECT patterns with unparameterised input.
spikes in authentication-related traffic or failed login attempts with crafted payloads.
WAF/IDS alerts showing SQLi-like payloads targeting fullname or similar fields.
Post-blast data access patterns (unexpected data volume or access from unusual accounts).

Mitigation and prioritisation

Patch or upgrade to the fixed version; verify vendor advisory and apply promptly.
Implement parameterised queries/prepared statements and strict input validation in all user-supplied fields.
Deploy web application firewall rules targeting SQL injection patterns; enable anomaly detection.
Enforce least privilege for the application DB user; separate application and data layers where feasible.
Plan test and rollback in staging, with change-management notes and monitoring after deployment. Treat as priority 1 if KEV/EPSS indicators become available or active.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-12929, OSINT, sourcecodester, survey-application-system, threatintel