CVE-2025-3006
Published: 31 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-3006 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting PHPGurukul e-Diary Management System version 1.0. The flaw exists in unknown code within the file /edit-category.php?id=8, where manipulation of the Category argument triggers the injection. Published on 2025-03-31, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads. The exploit has been publicly disclosed and may be actively used.
Advisories and details are available through references including VulDB entries (ctiid.302056, id.302056, submit.524553), a GitHub issue at yasuoz99/CVE-/issues/1, and the vendor site phpgurukul.com, which security practitioners should consult for any patch or mitigation guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web app (/edit-category.php?id=8) enables exploitation of public-facing applications (T1190) and arbitrary database queries for data collection (T1213.006).