Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-13347

CVE-2025-13347: Train Station Ticketing System SQLi Flaw

CVE-2025-13347 is a SQL injection vulnerability in Oretnom23 Train Station Ticketing System 1.0 affecting the /ajax.php?action=save_user endpoint. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-13347 Overview

CVE-2025-13347 is a SQL injection vulnerability in SourceCodester Train Station Ticketing System 1.0, developed by oretnom23. The flaw resides in the /ajax.php?action=save_user endpoint, where the Username parameter is incorporated into a database query without proper sanitization. Authenticated attackers can manipulate this parameter remotely to inject arbitrary SQL statements. The exploit details have been published, increasing the likelihood of opportunistic abuse against exposed deployments. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Remote attackers with low-privilege accounts can inject SQL statements through the Username argument, potentially exposing user records and other database contents stored by the ticketing system.

Affected Products

  • SourceCodester Train Station Ticketing System 1.0
  • oretnom23 train_station_ticketing_system (CPE: cpe:2.3:a:oretnom23:train_station_ticketing_system:1.0)
  • Deployments using the vulnerable /ajax.php?action=save_user handler

Discovery Timeline

  • 2025-11-18 - CVE-2025-13347 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-13347

Vulnerability Analysis

The vulnerability exists in the user save handler exposed at /ajax.php?action=save_user. The application accepts the Username argument from the HTTP request and embeds it directly into a SQL statement without parameterization or input validation. Because the request can be issued by any authenticated user of the application, an attacker holding a low-privilege session can submit crafted input that alters the structure of the underlying query.

SQL injection in a user management endpoint is particularly attractive to attackers. The handler typically interacts with the users table, which stores credentials and role assignments. Manipulating queries against this table allows database content extraction and, depending on backend privileges, may permit modification of arbitrary rows. According to public details posted on the GitHub Issue on CVE and the VulDB entry #332765, a working exploit has been disclosed.

Root Cause

The root cause is the absence of prepared statements or input sanitization in the save_user action. User-controlled values flow into a dynamically constructed SQL query, allowing meta-characters such as single quotes and SQL keywords to terminate the original statement and append attacker logic. This pattern is common in PHP applications that concatenate request parameters into queries handled by mysqli_query or equivalent functions.

Attack Vector

An attacker requires network access to the application and a low-privilege account to reach the save_user action. The attacker submits an HTTP request to /ajax.php?action=save_user with a crafted Username value containing SQL syntax. The injected payload is executed by the database engine, returning data through application responses or error channels. No user interaction beyond the attacker's own request is required.

The vulnerability mechanism is described in prose because no verified proof-of-concept code is included with this advisory. Technical specifics are documented in the VulDB submission #691945 and the linked GitHub issue.

Detection Methods for CVE-2025-13347

Indicators of Compromise

  • HTTP requests to /ajax.php?action=save_user containing SQL meta-characters such as ', --, UNION, or SLEEP( in the Username parameter.
  • Web server or PHP error logs referencing SQL syntax errors originating from the save_user handler.
  • Unexpected creation, modification, or enumeration of rows in the users table outside of normal administrative workflows.

Detection Strategies

  • Inspect web access logs for POST or GET requests targeting /ajax.php?action=save_user with abnormally long or encoded Username values.
  • Deploy a web application firewall (WAF) rule set that flags SQL injection signatures specifically on the ticketing system endpoints.
  • Correlate authentication events with subsequent database errors to identify low-privilege accounts probing the user management handler.

Monitoring Recommendations

  • Enable verbose query logging on the MySQL or MariaDB backend serving the ticketing system and alert on syntactically malformed queries from the application user.
  • Monitor outbound database traffic volume for spikes that may indicate bulk extraction through UNION-based or time-based injection.
  • Track failed and successful logins for accounts that subsequently access /ajax.php endpoints they would not normally use.

How to Mitigate CVE-2025-13347

Immediate Actions Required

  • Restrict network access to the Train Station Ticketing System 1.0 administrative interface using firewall rules or a reverse proxy until a vendor fix is available.
  • Revoke or rotate credentials for low-privilege user accounts that are not strictly required, reducing the pool of accounts able to reach the vulnerable handler.
  • Apply virtual patching at a WAF to block SQL injection patterns in the Username parameter of /ajax.php?action=save_user.

Patch Information

No vendor patch has been published in the references available for CVE-2025-13347. Administrators should monitor the SourceCodester project page and the VulDB CTI entry for updates, and consider replacing the application if a fix is not released.

Workarounds

  • Modify the save_user handler in ajax.php to use parameterized queries (mysqli_prepare with bound parameters or PDO prepared statements) instead of string concatenation.
  • Implement server-side input validation that rejects Username values containing SQL meta-characters or exceeding expected length.
  • Limit the database account used by the application to the minimum privileges required, preventing destructive injection payloads from succeeding.
bash
# Example WAF rule (ModSecurity) blocking SQLi patterns on the vulnerable endpoint
SecRule REQUEST_URI "@contains /ajax.php" \
  "chain,id:1013347,phase:2,deny,status:403,msg:'CVE-2025-13347 SQLi attempt'"
  SecRule ARGS:action "@streq save_user" \
    "chain"
    SecRule ARGS:Username "@rx (?i)(union|select|sleep\(|--|';)" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne