CVE-2025-1952
Published: 04 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1952 is a critical SQL injection vulnerability in PHPGurukul Restaurant Table Booking System 1.0. The flaw resides in an unknown function within the file /admin/password-recovery.php, where manipulation of the username or mobileno arguments enables SQL code injection. Published on 2025-03-04, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 and CWE-89.
The vulnerability is exploitable remotely by unauthenticated attackers with low complexity, requiring no user interaction or privileges. Successful exploitation allows attackers to achieve low-level impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL queries.
Advisories and details are documented on VULDB (https://vuldb.com/?ctiid.298542, https://vuldb.com/?id.298542, https://vuldb.com/?submit.509955) and a GitHub issue (https://github.com/zrlianc/CVE/issues/1), with the vendor site at https://phpgurukul.com/. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web app password recovery allows remote exploitation for initial access (T1190), stealing credentials from the database (T1212), and collecting data from databases (T1213.006).