Car Washing Management System
CVE-2025-50494
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Session hijacking yields account confidentiality/integrity loss not availability, so C:H/I:H/A:N; AC:H because a valid session token must first be obtained.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper session invalidation in the component /doctor/change-password.php of PHPGurukul Car Washing Management System v1.0 allows attackers to execute a session hijacking attack.
AnalysisAI
Session hijacking in PHPGurukul Car Washing Management System v1.0 allows attackers to retain or reuse a doctor account session because the /doctor/change-password.php component fails to invalidate existing sessions after a credential change, publicly available exploit code exists (per the referenced GitHub PoC), though EPSS estimates only a 0.50% exploitation probability and the issue is not on CISA KEV. No public exploit identified as actively used in the wild; the flaw affects only the single unpatched v1.0 release of this niche PHP application.
Technical ContextAI
The affected software is PHPGurukul Car Washing Management System v1.0, a small PHP/MySQL web application distributed as a free source package for managing car-wash bookings and staff. The vulnerable component is the doctor-facing password change endpoint (/doctor/change-password.php). Although the CVE is tagged CWE-20 (Improper Input Validation), the described behavior - sessions remaining valid after a password change - is more precisely Insufficient Session Expiration / Improper Session Invalidation (CWE-613): the application does not destroy or regenerate server-side session identifiers when credentials are updated, so previously established PHP session cookies continue to authenticate. The single CPE, cpe:2.3:a:phpgurukul:car_washing_management_system:1.0, confirms only version 1.0 is in scope.
RemediationAI
No vendor-released patch identified at time of analysis, and no fixed version number is provided in the source data - do not assume a later release resolves it without confirming with PHPGurukul. As specific compensating controls: modify /doctor/change-password.php to call session_regenerate_id(true) and destroy the prior session immediately after a successful password update, forcing re-authentication (trade-off: the user is logged out on all devices, which is the intended secure behavior). Enforce short session lifetimes and idle timeouts to shrink the window in which a stolen session remains usable (trade-off: more frequent logins). Set session cookies with HttpOnly, Secure, and SameSite attributes and serve the application only over TLS to reduce the chance of a token being stolen in the first place. Restrict administrative/doctor panel access to trusted networks or behind a VPN as an interim control. The only actionable reference is the PoC at https://github.com/VasilVK/CVE/tree/main/CVE-2025-50494, useful for validating the fix.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today