CVE-2025-25352
Published: 13 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25352 is a SQL injection vulnerability (CWE-89) in the /admin/aboutus.php component of PHPGurukul Land Record System version 1.0. The flaw allows remote attackers to execute arbitrary code by injecting malicious input into the pagetitle POST request parameter. Published on 2025-02-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Attackers with high privileges, such as administrative access, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary code execution, leading to high impacts on confidentiality, integrity, and availability within the application's scope.
References point to GitHub writeups documenting the SQL injection issue in the Land Record System's aboutus.php file, but no specific advisories or patches are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL Injection vulnerability in public-facing web application (/admin/aboutus.php) allows remote arbitrary code execution, enabling exploitation of public-facing applications.