CVE-2025-1901
Published: 04 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-1901 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Restaurant Table Booking System 1.0. The flaw affects an unknown functionality within the file /admin/check_availability.php, where manipulation of the username argument enables SQL injection.
The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction, per its CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation allows limited impacts on confidentiality, integrity, and availability through arbitrary SQL execution.
Advisories and details are available via VulDB entries (ctiid.298419, id.298419, submit.506612) and the vendor site phpgurukul.com. A proof-of-concept exploit has been publicly disclosed on GitHub.
The public availability of the exploit increases the risk of real-world attacks against exposed instances of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated SQL injection in a public-facing web application (PHP-based booking system) directly enables exploitation of public-facing applications for initial access.