CVE-2025-1900
Published: 04 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-1900 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Restaurant Table Booking System 1.0. The flaw resides in unknown functionality within the /add-table.php file, where manipulation of the 'tableno' argument triggers the injection.
Attackers can exploit this remotely without authentication or user interaction, as indicated by the CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables limited impacts on confidentiality, integrity, and availability.
Advisories and further details are available via VulDB entries (https://vuldb.com/?ctiid.298418, https://vuldb.com/?id.298418, https://vuldb.com/?submit.506609) and a GitHub issue (https://github.com/chenzi-dynasty/CVE/issues/2), with the vendor site at https://phpgurukul.com/.
The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in the public-facing web application (/add-table.php) enables initial access via exploitation of public-facing applications (T1190), collection of data from databases via arbitrary SQL queries (T1213.006), and manipulation of stored data such as tampering or deletion (T1565.001).