CVE-2025-1894
Published: 04 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-1894 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting PHPGurukul Restaurant Table Booking System version 1.0. The issue resides in unknown functionality of the file /search-result.php, where manipulation of the searchdata argument enables SQL injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-04T02:15:35.380.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially allowing data exfiltration, modification, or disruption within the application's database.
Advisories and further details are available in references including VulDB entries (https://vuldb.com/?ctiid.298412, https://vuldb.com/?id.298412, https://vuldb.com/?submit.506592), the vendor site (https://phpgurukul.com/), and a GitHub disclosure (https://github.com/Maochuyue/cve/issues/1), where the exploit has been publicly released and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web application (/search-result.php) enables exploitation of public-facing app (T1190), unauthorized access to databases for data collection (T1213.006), and manipulation of stored database data (T1565.001).