CVE-2025-25355
Published: 13 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-25355 is a SQL injection vulnerability in the /admin/bwdates-reports-details.php component of PHPGurukul Land Record System version 1.0. The flaw allows remote attackers to execute arbitrary code by injecting malicious payloads into the 'fromdate' POST request parameter. Published on 2025-02-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-89.
Exploitation targets users with high privileges, such as authenticated administrators, who can submit crafted POST requests to the vulnerable endpoint over the network. The attack requires low complexity and no user interaction, enabling attackers to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full system compromise.
References point to GitHub writeups detailing the SQL injection via the 'fromdate' parameter, including proof-of-concept information in PDF format. No specific patch or mitigation details are outlined in the provided sources.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/admin/bwdates-reports-details.php) enables remote exploitation (T1190) and arbitrary SQL query execution for database data collection (T1213.006).