Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in 101news

Posted date 03/03/2025
Identificador
INCIBE-2025-0113
Importance
5 - Critical
Affected Resources

101news, 1.0 version.

Description

INCIBE has coordinated the publication of 7 vulnerabilities of critical severity, affecting 101 news developed by Mayuri K, an online news portal, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • from CVE-2025-1869 to CVE-2025-1875: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
Solution

There is no reported solution at this time.

Detail

Several SQL injection vulnerabilities have been found in 101news affecting version 1.0. The list of assigned parameters and identifiers is as follows:

  • CVE-2025-1869: parameter "username" in admin/check_avalability.php.
  • CVE-2025-1870: parameter "pagedescription" in admin/aboutus.php.
  • CVE-2025-1871: parameter "category" and "subcategory" in admin/add-subcategory.php.
  • CVE-2025-1872: parameter "sadminusername" in admin/add-subadmins.php.
  • CVE-2025-1873: parameter "pagetitle" and "pagedescription" in  admin/contactus.php.
  • CVE-2025-1874: parameter "description" in  admin/add-category.php.
  • CVE-2025-1875: parameter "searchtitle" in search.php.
References list
101news - Product sheet
Etiquetas