PHPGurukul Small CRM CVE-2025-50484
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Network-reachable but requires obtaining a session and a victim password change (AC:H, UI:R); attacker holds no credentials of their own (PR:N); high confidentiality, low integrity, no availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper session invalidation in the component /crm/change-password.php of PHPGurukul Small CRM v3.0 allows attackers to execute a session hijacking attack.
AnalysisAI
Session hijacking in PHPGurukul Small CRM v3.0 stems from improper session invalidation in /crm/change-password.php, where existing session tokens are not revoked after a password change, letting an attacker who obtains or retains a valid session ID continue accessing the victim's authenticated account. Public exploit code exists (GitHub PoC by VasilVK), though there is no confirmed active exploitation (not in CISA KEV) and EPSS probability is low at 0.32% (24th percentile). Impact is primarily confidentiality of CRM data with limited integrity effect.
Technical ContextAI
The affected component is a PHP web application (PHPGurukul Small CRM, a lightweight open-source customer relationship management script), specifically its change-password.php handler. The root cause is CWE-613 (Insufficient Session Expiration): the application fails to invalidate or rotate active server-side sessions when a user changes their password. In a correctly designed PHP session model, a credential change should call session_regenerate_id() and destroy prior session identifiers so that any previously issued PHPSESSID cookie becomes worthless. Because Small CRM does not do this, a session captured, fixated, or left active before the password change remains valid afterward - negating the primary security benefit of changing a password after a suspected compromise. CPE cpe:2.3:a:phpgurukul:small_crm:3.0 identifies the exact affected build.
RemediationAI
No vendor-released patch is identified at time of analysis for PHPGurukul Small CRM v3.0, and no vendor advisory URL was provided. The core fix is code-level: force server-side session invalidation and identifier rotation on password change by calling session_regenerate_id(true) and destroying all prior sessions for the account within change-password.php, so pre-change session tokens can no longer authenticate. As compensating controls until an official fix is available, restrict network access to the CRM (place it behind a VPN or IP allowlist) to reduce remote reachability at the cost of legitimate remote-user convenience; enforce short PHP session lifetimes and idle timeouts to shrink the reuse window (side effect: more frequent re-logins); set session cookies with HttpOnly, Secure, and SameSite attributes and require full re-authentication after any sensitive account action to limit token capture. Review the public PoC at https://github.com/VasilVK/CVE/tree/main/CVE-2025-50484 to validate any local fix.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today