CVE-2025-2382
Published: 17 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2382 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting PHPGurukul Online Banquet Booking System 1.0. The flaw resides in an unknown functionality of the file /admin/booking-search.php, where manipulation of the 'searchdata' argument triggers the injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-17T15:15:46.590.
The vulnerability is remotely exploitable by unauthenticated attackers with low attack complexity and no requirement for user interaction. Exploitation via SQL injection can result in limited impacts to confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption depending on the database backend.
Advisories referenced in VulDB (ctiid.299881, id.299881, submit.515911) and a GitHub issue (aionman/cve/issues/5) document the issue, with the vendor site at phpgurukul.com. The exploit has been publicly disclosed and may be used by attackers.
The vulnerability's public exploit availability heightens risk for exposed instances of this booking system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web application (/admin/booking-search.php) enables remote exploitation of public-facing application (T1190) and server software component (T1505).