CVE-2025-25351
Published: 12 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-25351 is a SQL injection vulnerability (CWE-89) in PHPGurukul Daily Expense Tracker System version 1.1. The flaw resides in the /dets/add-expense.php component, where the dateexpense parameter fails to properly sanitize user input, allowing malicious SQL payloads to be injected into backend database queries. Published on 2025-02-12, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.
Remote, unauthenticated attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Successful exploitation enables high-impact violations of confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing attackers to extract sensitive data, modify records, or disrupt system operations.
A detailed writeup, including proof-of-concept details, is available at https://github.com/vkcyberexpert/CVE-Writeup/blob/main/PHPGurukul/Daily%20Expense%20Tracker%20System/SQL%20Injection%20dateexpense%20daily%20expense.pdf. No official patches or vendor advisories are referenced in available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/dets/add-expense.php) enables exploitation of public-facing applications (T1190) and facilitates collection of data from databases via arbitrary SQL queries (T1213.006).