CVE-2025-1966
Published: 05 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1966 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Pre-School Enrollment System 1.0, published on 2025-03-05. The issue affects an unknown functionality within the file /admin/index.php, where manipulation of the username argument enables SQL injection.
Remote attackers can exploit this vulnerability with network access, low attack complexity, no privileges, and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base score 7.3). Exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries.
Advisories referenced in VulDB entries (ctiid.298567, id.298567, submit.512039), a GitHub SECWG issue, and the vendor site phpgurukul.com detail the vulnerability, noting that the exploit has been publicly disclosed and may be used by attackers. No specific patches or mitigations are described in the provided information.
The exploit's public availability increases the risk of real-world use against exposed instances of the software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated /admin/index.php enables exploitation of public-facing web application (T1190) and unauthorized access to database contents via query manipulation, blind/time-based/UNION attacks (T1213.006).