EUVD-2025-17021Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in Campcodes Online Teacher Record Management System 1.0. It has been classified as critical. This affects an unknown part of the file /trms/admin/bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, affecting the administrative report functionality at /trms/admin/bwdates-reports-details.php. An unauthenticated remote attacker can manipulate the fromdate/todate parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk.
Technical ContextAI
The vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically manifesting as SQL injection through unsanitized user input. The affected application is Campcodes Online Teacher Record Management System (OTMS) version 1.0, a PHP-based administrative system for educational institutions. The vulnerable endpoint /trms/admin/bwdates-reports-details.php processes date range parameters (fromdate/todate) without proper input validation, parameterized queries, or escaping before incorporating them into SQL statement construction. The root cause is the direct concatenation of user-supplied date values into dynamic SQL queries, allowing attackers to inject SQL metacharacters and arbitrary commands. This is a classic case of inadequate input sanitization in PHP applications that interact with relational databases.
RemediationAI
primary_actions: ['Upgrade Campcodes Online Teacher Record Management System to a patched version if available from vendor', 'If no patch exists, immediately implement parameterized queries (prepared statements) for all date input handling in bwdates-reports-details.php', 'Apply strict input validation: enforce date format validation (e.g., YYYY-MM-DD), whitelist allowed characters, reject any input containing SQL metacharacters or keywords']; vendor_patch_status: No specific patch version identified in disclosed sources; contact Campcodes directly for security updates or workaround guidance; workarounds: ['Restrict network access to /trms/admin/ directory using firewall rules, WAF rules, or web server access controls to limit exposure to trusted administrative networks only', 'Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in fromdate/todate parameters', 'Enable database query logging and set up alerts for suspicious SQL patterns or UNION-based injection attempts', 'Apply database-level principle of least privilege: ensure the application database user has minimal permissions needed for normal operations']; verification: After applying patches or workarounds, test the vulnerable endpoint with SQL injection payloads (e.g., '; DROP TABLE--') to confirm sanitization is effective
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today