CVE-2025-51092 identifies a SQL Injection vulnerability in the LogIn-SignUp project developed by VishnuSivadasVS. The vulnerability arises from unsafe construction of SQL queries within the DataBase.php file, specifically in the logIn() and signUp() functions. These functions directly concatenate user-supplied input and unvalidated table names into SQL queries without employing prepared statements or adequate sanitization. Although the project includes a prepareData() function intended to sanitize inputs, it is insufficient to prevent SQL injection attacks and notably does not sanitize the table name parameter. This flaw allows an attacker to inject malicious SQL code, potentially manipulating the database queries executed by the application. Exploitation could lead to unauthorized data access, data modification, or even complete compromise of the underlying database. The vulnerability is present in unspecified versions of the software, and no patches or fixes have been published yet. There are no known exploits in the wild at this time, and no CVSS score has been assigned. The lack of prepared statements and inadequate input validation represent a classic and critical security weakness in web applications that interact with databases.

For European organizations using the LogIn-SignUp project or derivatives thereof, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their data. Successful exploitation could allow attackers to bypass authentication mechanisms, access sensitive user information, modify or delete data, and potentially escalate privileges within the application or connected systems. This could lead to data breaches involving personal data protected under GDPR, resulting in legal penalties and reputational damage. Additionally, compromised authentication systems could facilitate further attacks such as lateral movement within networks or deployment of ransomware. The impact is heightened for organizations handling sensitive or regulated data, including financial institutions, healthcare providers, and government agencies. Even though no known exploits exist currently, the simplicity of exploiting SQL injection vulnerabilities means attackers could develop exploits rapidly once the vulnerability is public. The absence of patches increases the window of exposure for affected organizations.

European organizations should immediately audit their use of the LogIn-SignUp project or any software components derived from it. Specific mitigation steps include: 1) Refactor the logIn() and signUp() functions to use parameterized queries or prepared statements to prevent direct concatenation of user inputs into SQL queries. 2) Implement strict input validation and sanitization, especially for table names and other dynamic query components, ideally using whitelisting approaches rather than blacklisting. 3) Conduct thorough code reviews and security testing (including automated static analysis and dynamic testing) to identify and remediate similar injection flaws. 4) If immediate code changes are not feasible, deploy Web Application Firewalls (WAFs) with rules designed to detect and block SQL injection attempts targeting these endpoints. 5) Monitor application logs for suspicious query patterns or repeated failed login attempts that may indicate exploitation attempts. 6) Educate developers on secure coding practices related to database interactions to prevent recurrence. 7) Stay alert for official patches or updates from the project maintainer and apply them promptly once available.