CVE Alert: CVE-2025-12928 – code-projects – Online Job Search Engine
CVE-2025-12928
A vulnerability was detected in code-projects Online Job Search Engine 1.0. This affects an unknown function of the file /login.php. Performing manipulation of the argument username/phone results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
AI Summary Analysis
Risk verdict
High risk due to remote SQL injection in the login flow with public exploit availability; treat with urgent monitoring and patching as soon as feasible.
Why this matters
An attacker can potentially bypass authentication or access/modify user data with no authentication and minimal preconditions, risking credentials, personal data, and business user trust. The public exploit increases the likelihood of automated scanning and mass attempts against exposed deployments, amplifying the potential impact across affected environments.
Most likely attack path
Remote attacker targets login.php with crafted input for username/phone to trigger SQL injection; no user interaction required and no privileges needed, enabling data exposure or authentication bypass. With Scope unchanged, lateral movement is limited to the application and database layer, but data theft or integrity tampering remains plausible if unrestricted DB access is obtained.
Who is most exposed
Web deployments running code-projects Online Job Search Engine 1.0 on publicly reachable hosts, common in small-to-mid sized organisations or hosted services where the login surface is internet-facing.
Detection ideas
- Unusual login attempts with SQL error patterns in web/app logs.
- SQL error messages surfaced in responses or WAF alerts targeting login.php.
- Abnormal traffic spikes to login.php from varied IPs or user agents.
- DB query anomalies or unexpected data returned during authentication.
- Indicators of attempted credential enumeration or data exfiltration.
Mitigation and prioritisation
- Patch to fixed version or apply vendor-released remediation immediately.
- Implement parameterised queries and strict input validation on username/phone.
- Deploy web application firewall rules targeting SQLi patterns on login endpoints.
- Enforce least privilege for DB accounts used by the web app; monitor DB activity.
- Change-management: test in staging, rollback plan, notify users if data exposure risk is confirmed.
- If KEV true or EPSS ≥ 0.5, treat as priority 1.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
