SQL Injection Vulnerability in JoeyBling Bootplus Admin Interface
CVE-2025-0701

5.3MEDIUM

Key Information:

Vendor

Joeybling

Status
Vendor
CVE Published:
24 January 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-0701?

A critical SQL injection vulnerability has been identified in the JoeyBling bootplus product, specifically in the admin interface under the /admin/sys/user/list endpoint. This issue arises from inadequate input validation on the 'sort' argument, which could allow an attacker to manipulate database queries. The potential for remote exploitation raises significant security concerns, as unauthorized access to sensitive data may be achievable. As the product utilizes rolling releases, specific version details for both affected and patched releases remain unspecified, highlighting the need for immediate attention and possible remediation strategies.

Affected Version(s)

bootplus 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

LVZC3 (VulDB User)
.