CVE-2025-2053
Published: 07 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2053 is a critical SQL injection vulnerability in PHPGurukul Apartment Visitors Management System 1.0. The flaw resides in an unknown function within the file /visitor-detail.php, where manipulation of the editid argument enables SQL injection. Published on 2025-03-07, it carries a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 74 and 89.
The vulnerability allows remote exploitation over the network with low attack complexity and no user interaction required. It demands low privileges (PR:L), enabling authenticated users with basic access to inject malicious SQL payloads via the editid parameter. Successful exploitation can result in low-level impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service within the application's database.
Advisories and references, including VulDB entries (ctiid.298806, id.298806, submit.514234), a GitHub issue at guttlefish/vul/issues/11, and the vendor site phpGurukul.com, provide further details. The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in /visitor-detail.php enables exploitation of public-facing web applications (T1190), abuse of server software components for arbitrary query execution (T1505), and collection of data from databases via UNION-based attacks (T1213.006).