CVE-2025-2628
Published: 22 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2628 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Art Gallery Management System version 1.1, published on 2025-03-22. The flaw resides in an unknown function within the file /art-enquiry.php, where manipulation of the 'eid' argument enables SQL injection.
The vulnerability is remotely exploitable over the network with low attack complexity and requires low privileges (PR:L), but no user interaction (UI:N). Per its CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attackers can achieve low impacts on confidentiality, integrity, and availability, such as limited data exposure, modification, or denial of service.
Advisories and details are referenced at https://github.com/ydnd/cve/issues/3, https://phpgurukul.com/, https://vuldb.com/?ctiid.300630, https://vuldb.com/?id.300630, and https://vuldb.com/?submit.519615. The exploit has been publicly disclosed and may be used, though no specific patch or mitigation steps are outlined in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (/art-enquiry.php) enables exploitation of public-facing applications (T1190), data collection from databases (T1213.006), and abuse of server software components (T1505, as noted in advisory).