CVE-2025-2734
Published: 25 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2734 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Old Age Home Management System 1.0. The flaw resides in an unknown function within the file /admin/aboutus.php, where manipulation of the 'pagetitle' argument triggers the injection. Published on 2025-03-25, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers without authentication can exploit this vulnerability due to its network accessibility, low attack complexity, and lack of required user interaction. By injecting malicious SQL via the 'pagetitle' parameter, attackers can achieve low-level impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption depending on the database backend.
Advisories referenced in VulDB (ctiid.300756, id.300756, submit.522265) and a GitHub issue (0xabandon/CVE/issues/1) detail the vulnerability, confirming remote exploitability. The vendor site phpgurukul.com is listed, though specific patch information is not detailed in the available references. The exploit has been publicly disclosed and may be used.
The public availability of the exploit increases the risk for unpatched instances of this management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application enables initial access via exploitation of public-facing application (T1190), execution through server software component (T1505 as noted in advisory), and collection from databases (T1213.006).