CVE-2025-13121 identifies a SQL injection vulnerability in cameasy Liketea version 1.0.0, specifically in the list function of the API endpoint located in laravel/app/Http/Controllers/Front/StoreController.php. The vulnerability arises due to improper sanitization or validation of the lng (longitude) and lat (latitude) parameters, which are used in SQL queries without adequate protection. An attacker can remotely craft malicious inputs for these parameters to manipulate the underlying SQL query, potentially extracting sensitive data, modifying database entries, or causing denial of service. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium), reflecting the ease of exploitation and the partial impact on confidentiality, integrity, and availability. Although no public exploits are currently observed in the wild, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The affected product is a Laravel-based web application component, which is common in web services, making this vulnerability relevant for organizations using cameasy Liketea 1.0.0 in their infrastructure.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive data stored in backend databases, including customer information, business data, or credentials. Data integrity could be compromised by unauthorized modifications or deletions. Availability might be affected if attackers execute queries that disrupt database operations or cause application crashes. Organizations in sectors such as retail, logistics, or services using cameasy Liketea could face operational disruptions, reputational damage, and regulatory consequences under GDPR if personal data is exposed. The remote, unauthenticated nature of the vulnerability increases the risk of widespread exploitation, especially if the product is exposed to the internet without adequate protections. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, especially given the public disclosure.

1. Immediate application of vendor patches or updates once available is the most effective mitigation. 2. Until patches are released, implement strict input validation and sanitization on lng and lat parameters to reject malformed or suspicious inputs. 3. Refactor the affected API endpoint to use parameterized queries or prepared statements to prevent SQL injection. 4. Employ Web Application Firewalls (WAFs) with rules targeting SQL injection patterns on the affected endpoints. 5. Monitor logs and network traffic for unusual query patterns or repeated access attempts targeting lng/lat parameters. 6. Restrict external access to the API endpoint where possible, using network segmentation or VPNs. 7. Conduct code reviews and security testing on similar API endpoints to identify and remediate other injection risks. 8. Educate developers on secure coding practices related to database interactions in Laravel applications.