CVE-2025-2471
Published: 18 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2471 is a critical SQL injection vulnerability in PHPGurukul Boat Booking System 1.0. The issue affects an unknown function within the file /boat-details.php, where manipulation of the 'bid' argument enables the injection. Recent CWE classifications include CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')).
The vulnerability allows remote exploitation over the network with low attack complexity and requires low privileges (PR:L), without user interaction. Successful attacks can result in low-level impacts to confidentiality, integrity, and availability, as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). An authenticated user with low privileges could manipulate the 'bid' parameter to inject malicious SQL payloads.
Advisories and related details are available through references including a GitHub issue at https://github.com/1cfh/vuln-pub/issues/1, the vendor site at https://phpgurukul.com/, and VULDB entries at https://vuldb.com/?ctiid.299964, https://vuldb.com/?id.299964, and https://vuldb.com/?submit.517113.
The exploit has been publicly disclosed and may be used by attackers. The vulnerability was published on 2025-03-18T00:15:13.030.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/boat-details.php) enables exploitation of public-facing applications (T1190), data collection from databases via arbitrary SQL queries including blind and UNION techniques (T1213.006), and abuse of server software components as mapped in VulDB advisory (T1505).