CVE-2025-5578

| EUVD-2025-16856 HIGH
2025-06-04 [email protected]
PHP SQLi Dairy Farm Shop Management System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16856
PoC Detected
Jun 04, 2025 - 18:27 vuln.today
Public exploit code
CVE Published
Jun 04, 2025 - 08:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability has been found in PHPGurukul Dairy Farm Shop Management System 1.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sales-report-details.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

PHPGurukul Dairy Farm Shop Management System version 1.3 contains a critical SQL injection vulnerability in the /sales-report-details.php file affecting the fromdate and todate parameters. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with working proof-of-concept code available, making active exploitation likely in the wild.

Technical ContextAI

The vulnerability is a classic SQL injection (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) in a PHP-based web application. The /sales-report-details.php endpoint fails to properly sanitize or parameterize user input from the 'fromdate' and 'todate' HTTP parameters before incorporating them into SQL queries. The affected product is PHPGurukul Dairy Farm Shop Management System (CPE approximation: cpe:2.3:a:phpgurukul:dairy_farm_shop_management_system:1.3:*:*:*:*:*:*:*). The root cause is insufficient input validation and lack of prepared statements or parameterized queries, allowing attackers to break out of intended SQL query context and inject malicious SQL syntax.

RemediationAI

patch: Check PHPGurukul official website or GitHub repository for version 1.4+ which may contain fixes; contact vendor directly for security updates workaround: Implement strict input validation on date parameters using whitelist patterns (YYYY-MM-DD format only); reject any input containing SQL metacharacters or unexpected syntax workaround: Use prepared statements/parameterized queries in /sales-report-details.php; refactor all date parameter handling to use bound parameters instead of string concatenation mitigation: Deploy Web Application Firewall (WAF) rules to block SQL injection payloads targeting date parameters; monitor for suspicious query patterns in application logs mitigation: Restrict database user privileges to read-only where possible; implement principle of least privilege for database connections used by this application mitigation: Consider disabling or restricting access to /sales-report-details.php until patching is available; limit access by IP address or require VPN authentication

Share

CVE-2025-5578 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy