Skip to main content

PHPGurukul Small CRM CVE-2025-50484

HIGH
Insufficient Session Expiration (CWE-613)
2025-07-28 cve@mitre.org
7.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
vuln.today AI
5.9 MEDIUM

Network-reachable but requires obtaining a session and a victim password change (AC:H, UI:R); attacker holds no credentials of their own (PR:N); high confidentiality, low integrity, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 01:56 vuln.today

DescriptionCVE.org

Improper session invalidation in the component /crm/change-password.php of PHPGurukul Small CRM v3.0 allows attackers to execute a session hijacking attack.

AnalysisAI

Session hijacking in PHPGurukul Small CRM v3.0 stems from improper session invalidation in /crm/change-password.php, where existing session tokens are not revoked after a password change, letting an attacker who obtains or retains a valid session ID continue accessing the victim's authenticated account. Public exploit code exists (GitHub PoC by VasilVK), though there is no confirmed active exploitation (not in CISA KEV) and EPSS probability is low at 0.32% (24th percentile). Impact is primarily confidentiality of CRM data with limited integrity effect.

Technical ContextAI

The affected component is a PHP web application (PHPGurukul Small CRM, a lightweight open-source customer relationship management script), specifically its change-password.php handler. The root cause is CWE-613 (Insufficient Session Expiration): the application fails to invalidate or rotate active server-side sessions when a user changes their password. In a correctly designed PHP session model, a credential change should call session_regenerate_id() and destroy prior session identifiers so that any previously issued PHPSESSID cookie becomes worthless. Because Small CRM does not do this, a session captured, fixated, or left active before the password change remains valid afterward - negating the primary security benefit of changing a password after a suspected compromise. CPE cpe:2.3:a:phpgurukul:small_crm:3.0 identifies the exact affected build.

RemediationAI

No vendor-released patch is identified at time of analysis for PHPGurukul Small CRM v3.0, and no vendor advisory URL was provided. The core fix is code-level: force server-side session invalidation and identifier rotation on password change by calling session_regenerate_id(true) and destroying all prior sessions for the account within change-password.php, so pre-change session tokens can no longer authenticate. As compensating controls until an official fix is available, restrict network access to the CRM (place it behind a VPN or IP allowlist) to reduce remote reachability at the cost of legitimate remote-user convenience; enforce short PHP session lifetimes and idle timeouts to shrink the reuse window (side effect: more frequent re-logins); set session cookies with HttpOnly, Secure, and SameSite attributes and require full re-authentication after any sensitive account action to limit token capture. Review the public PoC at https://github.com/VasilVK/CVE/tree/main/CVE-2025-50484 to validate any local fix.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-50484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy