CVE-2025-25356
Published: 13 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-25356 is a SQL injection vulnerability (CWE-89) in the /admin/bwdates-reports-details.php component of PHPGurukul Land Record System version 1.0. It allows remote attackers to execute arbitrary code by injecting malicious payloads into the "todate" POST request parameter. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-13.
Attackers require high privileges (PR:H), such as administrative access, to exploit this over the network with low complexity and no user interaction. Successful exploitation enables arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability, potentially allowing full compromise of the affected system.
References point to GitHub writeups detailing the SQL injection in the "todate" parameter, available at https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Land%20record/SQL%20Injection%20tadate.pdf. No specific mitigation or patch details are provided in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in web application allows remote exploitation for initial access (T1190) and arbitrary database queries for data collection (T1213.006).