CVE-2025-2059
Published: 07 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2059 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) in PHPGurukul Emergency Ambulance Hiring Portal 1.0. The flaw resides in an unknown functionality of the /admin/booking-details.php file, where manipulation of the "ambulanceregnum" argument enables SQL code injection.
The vulnerability is exploitable remotely over the network with low complexity and no required privileges or user interaction, per its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve low impacts on confidentiality, integrity, and availability through unauthorized SQL operations.
Reference advisories on VulDB (ctiid.298814, id.298814, submit.514522) and a GitHub issue (siznwaa/CVE/issues/4) document the issue, with the vendor site at phpgurukul.com listed. The exploit has been publicly disclosed and may be used by attackers.
In notable context, the public availability of the exploit elevates the risk for unpatched instances of this portal software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in the public-facing web application (/admin/booking-details.php) enables remote exploitation for initial access (T1190) and facilitates unauthorized data collection from the backend database via arbitrary SQL queries (T1213.006).