CVE-2025-1906
Published: 04 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-1906 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Restaurant Table Booking System 1.0, published on 2025-03-04. The flaw resides in unknown code within the /admin/profile.php file, where manipulation of the 'mobilenumber' argument enables SQL injection. The vulnerability is remotely exploitable, and other parameters may also be affected.
A remote attacker with high privileges (PR:H) can exploit this issue with low attack complexity (AC:L) over the network (AV:N) and without user interaction (UI:N), as indicated by the CVSS v3.1 base score of 4.7 (C:L/I:L/A:L/S:U). Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories provide further details on the vulnerability, including exploit information disclosed publicly via a GitHub issue at https://github.com/HaroldFinch-L/CVE/issues/2 and VulDB entries at https://vuldb.com/?ctiid.298426, https://vuldb.com/?id.298426, and https://vuldb.com/?submit.508915. The vendor website is https://phpgurukul.com/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remotely exploitable SQL injection vulnerability in a web application (/admin/profile.php), directly enabling the T1190 technique of exploiting public-facing applications to achieve limited confidentiality, integrity, and availability impacts.