CVE-2025-2088
Published: 07 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2088 is a critical SQL injection vulnerability in the PHPGurukul Pre-School Enrollment System up to version 1.0. The issue affects an unknown function within the /admin/profile.php file, where the fullname, emailid, and mobileNumber parameters can be manipulated to inject malicious SQL code. Recent publications classify it under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation without authentication or user interaction, allowing unauthenticated attackers to access it over the network with low complexity. Successful exploitation can result in limited confidentiality impacts such as reading sensitive data, limited integrity impacts like modifying database entries, and limited availability impacts potentially causing low-level denial of service.
Advisories and additional details are available in references including a GitHub issue at https://github.com/SECWG/cve/issues/2, the vendor site at https://phpgurukul.com/, and VulDB entries at https://vuldb.com/?ctiid.298902, https://vuldb.com/?id.298902, and https://vuldb.com/?submit.514974. The exploit has been publicly disclosed and may be actively used by attackers.
Published on 2025-03-07, this vulnerability highlights ongoing risks in web applications handling enrollment data, with no reported patches specified in available details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in a publicly accessible web application (PHPGurukul Pre-School Enrollment System) directly enables remote unauthenticated exploitation over the network, mapping to Exploit Public-Facing Application.