Fabian Scholars Tracking System vulnerabilities

CVE-2025-70152 [CRITICAL] CWE-89 CVE-2025-70152: code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in the a code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in the admin user management endpoints /admin/save_user.php and /admin/update_user.php. These endpoints lack authentication checks and directly concatenate user-supplied POST parameters (firstname, lastname, username, password, user_id) into SQL queries with

CVE-2025-70151 [HIGH] CWE-434 CVE-2025-70151: code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code e code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension.

CVE-2025-14940 [MEDIUM] CWE-74 CVE-2025-14940: A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element i A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /admin/delete_user.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

CVE-2025-14951 [MEDIUM] CWE-74 CVE-2025-14951: A security vulnerability has been detected in code-projects Scholars Tracking System 1.0. The impact A security vulnerability has been detected in code-projects Scholars Tracking System 1.0. The impacted element is an unknown function of the file /home.php. Such manipulation of the argument post_content leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

CVE-2025-14950 [MEDIUM] CWE-74 CVE-2025-14950: A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element i A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

CVE-2024-24098 [HIGH] CWE-89 CVE-2024-24098: Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection via the News Feed. Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection via the News Feed.