PHPGurukul BP Monitoring Management System CVE-2025-8134
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical was found in PHPGurukul BP Monitoring Management System 1.0. This vulnerability affects unknown code of the file /bwdates-report-result.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in PHPGurukul BP Monitoring Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the fromdate/todate parameters in /bwdates-report-result.php. The vulnerability requires user authentication (PR:L) but carries low confidentiality, integrity, and availability impact (VC:L/VI:L/VA:L). Publicly available exploit code exists, though real-world exploitation remains limited by authentication requirements and modest technical impact.
Technical ContextAI
The vulnerability exists in the /bwdates-report-result.php endpoint, which processes date-range filtering for blood pressure monitoring reports. The fromdate and todate parameters are passed directly into SQL queries without proper input validation or parameterized query preparation, allowing injection of arbitrary SQL syntax. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) manifesting as SQL injection. The affected product is a PHP-based healthcare management application (CPE: cpe:2.3:a:phpgurukul:bp_monitoring_management_system:1.0:*:*:*:*:*:*:*) that likely uses direct string concatenation or insufficient escaping when constructing date-based SQL queries.
RemediationAI
Contact PHPGurukul for a patched version of the BP Monitoring Management System, as no specific fix version is currently documented. Until an update is available, implement parameterized queries (prepared statements) in the /bwdates-report-result.php file to replace direct string concatenation in SQL queries. Input validation should enforce date format constraints (e.g., YYYY-MM-DD) using whitelist patterns, and database user accounts should be restricted to minimal necessary permissions (e.g., SELECT-only on the reporting view, not direct table access). As an immediate compensating control, restrict access to the reporting functionality via network-level access controls or authentication policy enforcement - only authorized users who genuinely need date-range report filtering should have access to this endpoint. Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in the fromdate/todate parameters. Monitor database query logs for anomalous SQL syntax that may indicate exploitation attempts.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today