CVE-2025-1578
Published: 23 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1578 is a SQL injection vulnerability classified as critical in PHPGurukul/Campcodes Online Shopping Portal version 2.1. The issue resides in an unknown part of the file /search-result.php, where manipulation of the "Product" argument enables SQL injection. It is associated with CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection).
The vulnerability allows remote exploitation with low privileges required (PR:L), low attack complexity (AC:L), and no user interaction (UI:N) over the network (AV:N). Attackers can achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), with an unchanged scope (S:U), resulting in a CVSS v3.1 base score of 6.3.
VulDB advisories document the vulnerability (ctiid.296553, id.296553) and reference a public submission, while a GitHub repository provides a PDF detailing the foreground SQL injection, including a disclosed exploit that may be used. No patches or specific mitigations are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing /search-result.php enables exploitation of public-facing application (T1190) and arbitrary data collection from databases (T1213.006).