CVE-2025-2608
Published: 21 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2608 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Banquet Booking System 1.2. The flaw affects an unknown part of the file /admin/view-user-queries.php, where manipulation of the viewid argument enables SQL injection. It carries a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-21T22:15:26.250.
A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL queries.
Advisories and additional details are available in references including https://github.com/emano888/cve/issues/1, https://vuldb.com/?ctiid.300591, https://vuldb.com/?id.300591, https://vuldb.com/?submit.518587, and the vendor site at https://phpgurukul.com/. The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability enables exploitation of a public-facing web application (T1190) and server software component (T1505) to collect data from the backend database (T1213.006).