PHPGurukul Beauty Parlour Management System CVE-2025-11330
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. The affected element is an unknown function of the file /admin/sales-reports-detail.php. Such manipulation of the argument fromdate/todate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in PHPGurukul Beauty Parlour Management System 1.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulated fromdate and todate parameters in /admin/sales-reports-detail.php. The vulnerability has low real-world impact (CVSS 2.1, EPSS 0.04%) despite public exploit availability, as it requires valid admin authentication and yields only limited data disclosure without full database manipulation capability.
Technical ContextAI
The vulnerability exists in the sales-reports-detail.php administrative interface where user-supplied input from the fromdate and todate HTTP parameters is passed unsanitized into SQL queries. This is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), indicating inadequate input validation or parameterized query usage. The affected component is PHP-based web application code that processes date range filters without proper SQL escaping or prepared statements, allowing injection of arbitrary SQL syntax within date parameter values.
RemediationAI
Upgrade PHPGurukul Beauty Parlour Management System to a version newer than 1.1 if available from phpgurukul.com. If no patched version is released, immediately implement input validation on the fromdate and todate parameters to reject non-date-formatted input, and refactor all SQL queries in /admin/sales-reports-detail.php to use parameterized queries (prepared statements) or ORM frameworks that automatically escape input. As an interim compensating control, restrict access to /admin/sales-reports-detail.php to a minimal set of trusted administrator accounts and monitor access logs for suspicious parameter values containing SQL syntax characters (quotes, semicolons, UNION keywords). Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in HTTP parameters. Note that these controls mitigate exploitation but do not eliminate the underlying defect; code patching is the permanent solution.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today