CVE-2025-2674
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2674 is a critical SQL injection vulnerability in PHPGurukul Bank Locker Management System version 1.0. The issue affects an unknown functionality within the /aboutus.php file, where manipulation of the 'pagetitle' argument enables the injection. Published on 2025-03-24, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
Remote attackers require only network access and no authentication or user interaction to exploit this vulnerability. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads through the 'pagetitle' parameter.
Advisories and additional details are available in referenced sources, including a GitHub issue at https://github.com/ARPANET-cyber/CVE/issues/3, the vendor site at https://phpgurukul.com/, and VulDB entries at https://vuldb.com/?ctiid.300691, https://vuldb.com/?id.300691, and https://vuldb.com/?submit.521441.
The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/aboutus.php) with remote unauthenticated access directly maps to exploitation of public-facing apps.