CVE-2025-6330

| EUVD-2025-18744 HIGH
2025-06-20 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18744
PoC Detected
Jun 26, 2025 - 18:48 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 10:15 nvd
HIGH 7.3

Tags

PHP SQLi Directory Management System

Description

A vulnerability classified as critical has been found in PHPGurukul Directory Management System 1.0. Affected is an unknown function of the file /searchdata.php. The manipulation of the argument searchdata leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6330 is a critical SQL injection vulnerability in PHPGurukul Directory Management System version 1.0, specifically in the /searchdata.php file's 'searchdata' parameter. An unauthenticated remote attacker can inject arbitrary SQL commands to compromise confidentiality, integrity, and availability of the underlying database. Public disclosure and proof-of-concept exploitation have occurred, making this an immediately actionable threat despite the moderate CVSS 7.3 score.

Technical Context

The vulnerability exists in PHPGurukul Directory Management System 1.0, a PHP-based directory management application. The /searchdata.php endpoint accepts user-supplied input via the 'searchdata' parameter without proper input validation or prepared statements, allowing attackers to inject SQL metacharacters. This is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which encompasses SQL injection when output is improperly sanitized before database queries. The root cause is the absence of parameterized queries or input filtering mechanisms that would neutralize SQL syntax characters. The affected technology stack includes PHP runtime environment and a backend SQL database (likely MySQL/MariaDB or PostgreSQL).

Affected Products

PHPGurukul Directory Management System version 1.0. CPE identifier (inferred): cpe:2.3:a:phpgurukul:directory_management_system:1.0:*:*:*:*:*:*:*. Note: PHPGurukul is an open-source project; affected installations include all deployments running version 1.0 without subsequent patches. No vendor advisory links or patch references are provided in available sources, suggesting either lack of official vendor remediation or outdated/abandoned project status.

Remediation

Immediate actions: (1) Identify and inventory all deployments of PHPGurukul Directory Management System 1.0 in your environment; (2) If vendor patches exist, upgrade to the latest patched version immediately; (3) If no official patch is available (likely given project age), implement input validation and output encoding: replace all direct SQL queries in /searchdata.php with prepared statements/parameterized queries using PHP PDO or mysqli prepared statements; (4) Short-term mitigation: implement Web Application Firewall (WAF) rules to block SQL injection patterns in the searchdata parameter (regex patterns for common SQL keywords and metacharacters); (5) Database-level mitigation: apply principle of least privilege to database user accounts used by the application; (6) Monitor database query logs for suspicious activity; (7) Consider decommissioning or replacing PHPGurukul 1.0 with actively maintained directory management solutions if vendor support is unavailable.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6330 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy