EUVD-2025-16824

| CVE-2025-5562 HIGH
2025-06-04 [email protected]
PHP SQLi Curfew E Pass Management System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16824
PoC Detected
Jun 10, 2025 - 15:10 vuln.today
Public exploit code
CVE Published
Jun 04, 2025 - 05:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability was found in PHPGurukul Curfew e-Pass Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/edit-category-detail.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Critical SQL injection vulnerability in PHPGurukul Curfew e-Pass Management System 1.0 affecting the /admin/edit-category-detail.php endpoint. An unauthenticated remote attacker can manipulate the 'editid' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. The vulnerability has been publicly disclosed with proof-of-concept availability, making active exploitation highly likely.

Technical ContextAI

The vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), manifesting as SQL injection. The affected application is PHPGurukul's Curfew e-Pass Management System (a PHP-based web application), which fails to properly sanitize or parameterize user input in the 'editid' parameter before incorporating it into SQL queries. The administrative interface file /admin/edit-category-detail.php processes category edit requests without adequate input validation, allowing attackers to inject malicious SQL syntax. This is a classical example of improper input handling in legacy PHP applications lacking prepared statements or parameterized query mechanisms.

RemediationAI

Immediate actions: (1) Implement input validation and parameterized queries (prepared statements) in /admin/edit-category-detail.php to neutralize SQL injection; use PHP's PDO or MySQLi with prepared statements with bound parameters for the 'editid' parameter. (2) Apply web application firewall (WAF) rules to detect and block common SQL injection patterns in the editid parameter. (3) Implement principle of least privilege for database accounts used by the application. (4) Contact PHPGurukul for security patches—if unavailable, consider migrating to a maintained e-pass management solution. (5) Conduct a security audit of other administrative endpoints for similar vulnerabilities. (6) Temporarily restrict access to /admin/ endpoints to trusted IP ranges until patches are applied.

Share

EUVD-2025-16824 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy