EUVD-2025-16855CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionNVD
A vulnerability was found in PHPGurukul Dairy Farm Shop Management System 1.3 and classified as critical. Affected by this issue is some unknown functionality of the file /search-product.php. The manipulation of the argument productname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
A critical SQL injection vulnerability exists in PHPGurukul Dairy Farm Shop Management System version 1.3 within the /search-product.php endpoint, specifically in the 'productname' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the database. The vulnerability has been publicly disclosed with proof-of-concept code available, making active exploitation a significant risk.
Technical ContextAI
This vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component, also commonly classified under CWE-89) occurring in a PHP-based e-commerce management system. The /search-product.php file fails to properly sanitize or parameterize user input from the 'productname' GET/POST parameter before incorporating it into SQL queries. The root cause is the absence of prepared statements or input validation, allowing attackers to inject malicious SQL syntax (e.g., UNION-based, Boolean-based, or time-based blind SQL injection). The affected product is PHPGurukul Dairy Farm Shop Management System (CPE: cpe:2.3:a:phpgurukul:dairy_farm_shop_management_system:1.3:*:*:*:*:*:*:*), a web application typically running on Apache/Nginx with PHP and a backend MySQL/MariaDB database.
Share
External POC / Exploit Code
Leaving vuln.today