CVE-2025-2738
Published: 25 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-2738 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Old Age Home Management System 1.0. The issue resides in unknown code within the file /admin/manage-scdetails.php, where manipulation of the 'namesc' argument enables the injection. Published on 2025-03-25, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers can exploit this vulnerability without privileges or user interaction, initiating the attack over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized database queries, data manipulation, or disruption via SQL injection.
Advisories and further details are available in referenced sources, including https://github.com/X-X-007/cve/issues/2, https://phpgurukul.com/, https://vuldb.com/?ctiid.300760, https://vuldb.com/?id.300760, and https://vuldb.com/?submit.522931. The exploit has been publicly disclosed and may be used.
The vulnerability has no reported AI/ML relevance, and no real-world exploitation in the wild is noted in available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app enables T1190 exploitation; allows unauthorized DB queries (T1213.006) and stored data manipulation (T1565.001).