CVE-2025-6155

| EUVD-2025-18443 HIGH
2025-06-17 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18443
PoC Detected
Jun 24, 2025 - 15:53 vuln.today
Public exploit code
CVE Published
Jun 17, 2025 - 03:15 nvd
HIGH 7.3

Tags

PHP SQLi Hostel Management System

Description

A vulnerability was found in PHPGurukul Hostel Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /includes/login-hm.inc.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical SQL injection vulnerability in PHPGurukul Hostel Management System 1.0 affecting the login functionality (/includes/login-hm.inc.php). An unauthenticated attacker can manipulate the Username parameter to execute arbitrary SQL queries remotely, potentially compromising data confidentiality, integrity, and availability. Public exploit disclosure and active exploitation potential significantly elevate real-world risk despite a moderate CVSS score of 7.3.

Technical Context

The vulnerability exists in PHPGurukul Hostel Management System 1.0, a PHP-based web application for hostel administration. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output), specifically manifesting as SQL injection in the login module. The /includes/login-hm.inc.php file fails to properly sanitize or parameterize the Username input parameter before incorporating it into SQL queries. This allows attackers to inject malicious SQL syntax (e.g., ' OR '1'='1) to bypass authentication, extract sensitive data, or modify database contents. The vulnerability affects the authentication layer, a critical trust boundary in any web application.

Affected Products

PHPGurukul Hostel Management System version 1.0 and potentially earlier versions. The specific vulnerable file is /includes/login-hm.inc.php. CPE string would be: cpe:2.3:a:phpgurukul:hostel_management_system:1.0:*:*:*:*:*:*:*. No vendor patch information is available in the public disclosure, suggesting the open-source project may be unmaintained or updates are pending. Organizations using this software across educational institutions, hostels, and dormitory management should inventory all instances.

Remediation

Immediate actions: (1) Apply input validation to the Username parameter—use allowlist-based validation (alphanumeric + specific symbols only) and enforce length limits; (2) Implement parameterized queries or prepared statements in /includes/login-hm.inc.php to separate SQL logic from data; (3) Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns (e.g., quotes, UNION, SELECT keywords in login parameters); (4) Consider upgrading to a newer version of PHPGurukul if available, or migrate to maintained hostel management solutions; (5) Conduct a security audit of all authentication-related code in the application. No official vendor patch is currently available; coordinate with PHPGurukul maintainers for a security update. Short-term workaround: disable the application or restrict access via network controls until patched.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6155 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy