CVE Alert: CVE-2025-11040 - code-projects - Hostel Management System

CVE-2025-11040

HIGHNo exploitation knownPoC observed

A vulnerability was detected in code-projects Hostel Management System 1.0. Affected by this issue is some unknown functionality of the file /justines/admin/mod_users/index.php?view=view. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

CVSS v3.1 (7.3)

Vendor

code-projects

Product

Hostel Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-26T20:02:05.772Z

Updated

2025-09-26T20:33:15.758Z

References

https://vuldb.com/?id.325987

https://vuldb.com/?ctiid.325987

https://vuldb.com/?submit.658744

https://github.com/yihaofuweng/cve/issues/31

https://code-projects.org/

AI Summary Analysis

Risk verdict

High risk: remote SQL injection with a publicly available PoC and automation potential warrants prompt attention, though active exploitation status is not confirmed.

Why this matters

Unauthenticated attackers can manipulate the database from the internet, potentially leaking or altering data and causing service disruption. The presence of a PoC and automation capability raises the likelihood of automated scanning and mass exploitation against exposed instances, with business impact ranging from data loss to downtime and reputational damage.

Most likely attack path

Exploitation would be delivered remotely via a vulnerable parameter in a web endpoint, requiring no user interaction or privileges. If successful, attackers could retrieve or modify data and, depending on DB permissions, impact availability; lack of pre-auth requirements increases the attack surface and potential for rapid lateral movement within the app’s data layer.

Who is most exposed

Any publicly reachable admin or backend interface for the system is likely exposed, especially in hosted or on-prem deployments lacking network controls, input validation, or strict access policies.

Detection ideas

Unusual DB query patterns or error messages in app logs
spikes of automated probing or SQLi-like payloads in HTTP logs
anomalous data exfiltration or unexpected data modification events
WAF/SIEM alerts for SQL injection signatures targeting the endpoint

Mitigation and prioritisation

Apply vendor patch or upgrade to a fixed version; if unavailable, implement compensating controls immediately
Enforce parameterised queries and rigorous input validation; remove or constrain direct query construction from user input
Restrict access to admin endpoints (IP whitelisting, MFA, strong auth) and hide admin paths behind authentication
Deploy a web application firewall with SQLi rules and monitor dashboards for anomalous activity
Plan rapid patching and testing in staging before production rollout; document changes and rollback plan

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: code-projects, CVE, cve-2025-11040, hostel-management-system, OSINT, threatintel