CVE-2025-1580
Published: 23 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1580 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Nipah Virus Testing Management System 1.0. The flaw affects an unknown function within the file /search-report-result.php, where manipulation of the 'searchdata' argument triggers the injection. Published on 2025-02-23, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by attackers possessing low privileges, requiring low attack complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries. The exploit has been publicly disclosed and may be actively used.
Advisories provide further details via references including a GitHub issue at https://github.com/wqywfvc/CVE/issues/5, the vendor site at https://phpgurukul.com/, and VulDB entries at https://vuldb.com/?ctiid.296556, https://vuldb.com/?id.296556, and https://vuldb.com/?submit.504234. The initial researcher advisory notes contradicting parameter names as potentially affected.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/search-report-result.php) enables exploitation of public-facing apps (T1190), abuse of server software components/databases (T1505), and data collection from databases (T1213.006) via arbitrary SQL queries for access, modification, or deletion.