CVE-2025-2052
Published: 07 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2052 is a critical SQL injection vulnerability in PHPGurukul Apartment Visitors Management System 1.0, affecting the processing of the /forgot-password.php file. The issue arises from improper handling of the 'contactno' argument, enabling SQL injection as classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-07.
The vulnerability can be exploited remotely by attackers with low privileges, such as authenticated users, requiring low attack complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling data exfiltration, modification, or disruption within the application's database.
Advisories and references, including a GitHub issue at https://github.com/guttlefish/vul/issues/10, VulDB entries at https://vuldb.com/?ctiid.298805, https://vuldb.com/?id.298805, and https://vuldb.com/?submit.514218, and the vendor site at https://phpgurukul.com/, document the issue. The exploit has been publicly disclosed and may be used.
In notable context, the public availability of the exploit increases the risk of real-world attacks against unpatched instances of this management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in /forgot-password.php enables exploitation of public-facing web applications (T1190), abuse of server software components (T1505 as noted in advisory), exploitation specifically for credential access via database dumps (T1212), and collection from databases (T1213.006).