CVE-2025-2649
Published: 23 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
A critical SQL injection vulnerability, designated CVE-2025-2649, affects the PHPGurukul Doctor Appointment Management System version 1.0. The flaw resides in unknown code within the /check-appointment.php file, where the 'searchdata' argument can be manipulated to trigger the injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-23.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation via the 'searchdata' parameter enables SQL injection, potentially allowing limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption depending on the database configuration.
Advisories and references, including those from VulDB (ctiid.300664, id.300664, submit.519780) and a GitHub issue at liuhao2638/cve/issues/12, document the issue, while the vendor site phpgurukul.com provides context on the affected software. No specific patches or mitigations are detailed in the available information.
The exploit has been publicly disclosed, increasing the risk of widespread use against unpatched instances of this system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/check-appointment.php) enables exploitation of public-facing application (T1190) and unauthorized database access, modification, or deletion (T1213.006).