CVE-2025-2378
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2378 is a critical SQL injection vulnerability in PHPGurukul Medical Card Generation System 1.0, affecting an unknown part of the file /download-medical-cards.php through manipulation of the searchdata argument. Published on 2025-03-17T13:15:39.513, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability enables remote exploitation without authentication or user interaction, requiring low attack complexity. Attackers can manipulate the searchdata parameter to inject SQL payloads, potentially achieving low-level impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service.
Advisories referenced in VulDB entries (ctiid.299877, id.299877, submit.515822) and a GitHub issue detail the vulnerability, while the vendor site phpgurukul.com provides context on the affected software.
The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in the public-facing /download-medical-cards.php endpoint enables remote exploitation for initial access (T1190). It also facilitates unauthorized database enumeration and data extraction as demonstrated in the POC with sqlmap (--dbs, UNION SELECT) (T1213.006).