CVE-2025-2362
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2362 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting PHPGurukul Pre-School Enrollment System 1.0. The issue impacts the processing of the /admin/contact-us.php file, where manipulation of the 'mobnum' argument enables SQL injection. Other parameters might also be vulnerable. Published on 2025-03-17, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as partial unauthorized data access, modification, or disruption.
Advisories are available via VulDB entries (ctiid.299861, id.299861, submit.514464) and a GitHub issue at https://github.com/12T40910/CVE/issues/3, with the vendor site at https://phpgurukul.com/. No specific patch or mitigation details are outlined in the disclosure.
The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated /admin/contact-us.php enables exploitation of public-facing web application (T1190), abuse of server software component for SQL query execution (T1505), and collection of data from databases via arbitrary SQL queries (T1213.006).