CVE-2025-8471
published 2025-08-02CVE-2025-8471: A vulnerability, which was classified as critical, has been found in projectworlds Online Admission System 1.0. This issue affects some unknown processing of…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
0.60%
44.0th percentile
A vulnerability, which was classified as critical, has been found in projectworlds Online Admission System 1.0. This issue affects some unknown processing of the file /adminlogin.php. The manipulation of the argument a_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projectworlds | online_admission_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /adminlogin.php where the 'a_id' parameter contains SQL comment-obfuscated payloads using /**/ as whitespace substitution (e.g., OR/**/1=1, UNION/**/SELECT, AND/**/SUBSTRING). ↗
- →Detect SQL error strings in HTTP responses from /adminlogin.php that indicate successful injection triggering, including: 'you have an error in your sql syntax', 'warning: mysql', 'mysql_fetch_array', 'unknown column', 'sqlstate', 'ora-'. ↗
- →The exploit uses a time-based blind technique via SELECT SLEEP(2); — detect anomalous response latency (≥2s) on requests to /adminlogin.php with SQL-like a_id parameter values. ↗
- →The exploit tool sets a fixed Referer header of 'http://example.com' on all injection requests; this can be used as a supplementary detection signal in WAF/proxy logs. ↗
- →The exploit writes output to a local file named 'result.log'; presence of this file on a web server host may indicate post-exploitation activity from this tool. ↗
- →The attack is unauthenticated and remotely initiated via GET request to /adminlogin.php — no session or authentication cookie is required for exploitation. ↗
- ·The exploit targets specifically projectworlds Online Admission System version 1.0; the vulnerable parameter is 'a_id' in /adminlogin.php only. ↗
- ·The exploit uses /**/ comment blocks as whitespace substitutes to bypass naive keyword-based WAF filters; detection rules must account for this obfuscation pattern in URL-decoded parameter values. ↗
- ·The exploit tool supports optional cookie-file injection (--cookie flag), meaning authenticated-session variants of the attack are also possible if a valid session cookie is supplied. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-08-02
Published