CVE-2025-2050
Published: 07 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2050 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) affecting PHPGurukul User Registration & Login and User Management System version 3.3. The flaw resides in an unknown functionality of the file /login.php, where manipulation of the email argument enables SQL injection. Published on 2025-03-07, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. By crafting malicious input for the email parameter during login attempts, the attacker can execute arbitrary SQL queries, potentially leading to low-level impacts on confidentiality (e.g., limited data exposure), integrity (e.g., minor data modification), and availability (e.g., minor service disruption).
Advisories referenced in VulDB entries (https://vuldb.com/?ctiid.298801, https://vuldb.com/?id.298801, https://vuldb.com/?submit.514115) and a GitHub issue (https://github.com/guttlefish/vul/issues/8) detail the vulnerability, with the vendor site at https://phpgurukul.com/. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app login.php enables exploitation of public-facing applications (T1190), collection of data from databases via arbitrary queries (T1213.006), and abuse of server software components (T1505, as cited in advisory).