CVE-2025-2643
Published: 23 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2643 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Art Gallery Management System 1.0. The flaw resides in unknown code within the file /admin/edit-art-type-detail.php?editid=1, where manipulation of the 'arttype' argument enables SQL injection. Published on 2025-03-23, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling data extraction, modification, or disruption within the affected application's database.
Advisories and additional details are available via VulDB entries (https://vuldb.com/?ctiid.300658, https://vuldb.com/?id.300658, https://vuldb.com/?submit.519772), the vendor site (https://phpgurukul.com/), and a GitHub issue (https://github.com/liuhao2638/cve/issues/6). The exploit has been publicly disclosed and may be in use.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote SQL injection in public-facing web application (PHPGurukul Art Gallery Management System) enables exploitation of public-facing application (T1190), collection of data from databases (T1213.006), and abuse of server software components (T1505) as mapped by VulDB.