CVE-2025-1168 in Contact Manager with Export to VCFinfo

Summary

by MITRE • 02/11/2025

A vulnerability was found in SourceCodester Contact Manager with Export to VCF 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/delete-contact.php. The manipulation of the argument contact leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/04/2025

The vulnerability identified as CVE-2025-1168 represents a critical sql injection flaw within the SourceCodester Contact Manager with Export to VCF 1.0 application. This vulnerability resides in the /endpoint/delete-contact.php file and demonstrates a severe weakness in the application's input validation and query construction mechanisms. The flaw specifically manifests when the contact argument is manipulated, allowing attackers to inject malicious sql code directly into the database query execution flow. This type of vulnerability falls under the CWE-89 category, which specifically addresses sql injection vulnerabilities, and aligns with the ATT&CK technique T1190 for exploiting vulnerabilities in web applications.

The remote exploitation capability of this vulnerability significantly amplifies its threat level, as attackers can leverage this flaw without requiring physical access to the target system. The disclosure of the exploit to the public means that malicious actors can readily implement this attack vector against vulnerable installations. The sql injection vulnerability enables unauthorized access to the underlying database, potentially allowing attackers to extract sensitive contact information, modify or delete records, and in some cases gain further access to the system through database privileges. The attack surface extends beyond simple data theft to include potential system compromise and data integrity violations.

The operational impact of this vulnerability is substantial for organizations using the affected contact manager application. Successful exploitation could result in complete database compromise, leading to unauthorized access to all stored contact information including personal and potentially sensitive data. The vulnerability's critical severity classification indicates that it can be easily exploited and has significant consequences for data confidentiality, integrity, and availability. Organizations relying on this application for contact management may face regulatory compliance violations, data breach notifications, and potential legal ramifications. The vulnerability also represents a potential stepping stone for attackers to escalate privileges and move laterally within network environments where the application is deployed.

Mitigation strategies should focus on immediate patching of the vulnerable application to address the specific sql injection flaw in the delete-contact.php endpoint. Input validation and parameterized queries should be implemented to prevent malicious sql code from being executed. Network segmentation and access controls should be enforced to limit exposure of the vulnerable application. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other applications. The implementation of web application firewalls and database activity monitoring can provide additional layers of protection. Organizations should also consider implementing automated patch management processes to ensure timely remediation of known vulnerabilities. Security awareness training for developers should emphasize secure coding practices to prevent similar injection vulnerabilities in future application development cycles.

Responsible

VulDB

Disclosure

02/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00522

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!