PT-2026-20479 · Code Projects · Scholars Tracking System
Published
2026-02-18
·
Updated
2026-02-18
·
CVE-2025-70152
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
code-projects Community Project Scholars Tracking System version 1.0
Description
The software contains a SQL Injection issue in the admin user management endpoints. The endpoints
/admin/save user.php and /admin/update user.php do not have authentication checks and directly concatenate user-supplied POST parameters into SQL queries without validation or parameterization. The vulnerable parameters are firstname, lastname, username, password, and user id.Recommendations
Apply input validation and parameterized queries to the
/admin/save user.php and /admin/update user.php endpoints.
Implement authentication checks for access to the /admin/save user.php and /admin/update user.php endpoints.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Scholars Tracking System