CVE-2025-2383
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2383 is a critical SQL injection vulnerability in PHPGurukul Doctor Appointment Management System 1.0. The issue resides in an unknown functionality of the file /doctor/search.php, where manipulation of the searchdata argument triggers the injection. Published on 2025-03-17T16:15:27.600, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 and CWE-89.
Remote attackers require only network access and no authentication or user interaction to exploit this vulnerability with low attack complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as partial data exposure, modification, or disruption via injected SQL payloads.
Advisories and additional details are documented in references including https://github.com/aionman/cve/issues/6, https://phpgurukul.com/, https://vuldb.com/?ctiid.299882, https://vuldb.com/?id.299882, and https://vuldb.com/?submit.515913. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in a public-facing web application (/doctor/search.php) enables initial access via exploitation of public-facing applications (T1190) and facilitates collection of data from databases (T1213.006) through arbitrary SQL query manipulation, data leakage, and tampering.