EUVD-2025-16949

| CVE-2025-5625 HIGH
2025-06-05 [email protected]
PHP SQLi Online Teacher Record Management System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:53 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:53 euvd
EUVD-2025-16949
PoC Detected
Jun 06, 2025 - 15:16 vuln.today
Public exploit code
CVE Published
Jun 05, 2025 - 01:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability was found in Campcodes Online Teacher Record Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /search-teacher.php. The manipulation of the argument searchteacher leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, specifically in the /search-teacher.php file's 'searchteacher' parameter. An unauthenticated remote attacker can exploit this flaw to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of teacher records. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely in the wild.

Technical ContextAI

This vulnerability stems from improper input validation and parameterization in PHP application code (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The /search-teacher.php endpoint accepts user-supplied input via the 'searchteacher' parameter and directly incorporates it into SQL queries without proper escaping or prepared statement usage. The affected product is Campcodes Online Teacher Record Management System 1.0, a PHP-based web application designed for educational institution record management. The root cause is a classic first-order SQL injection where untrusted user input flows directly into SQL command construction, likely using string concatenation rather than parameterized queries or ORM frameworks with proper query binding.

RemediationAI

Immediate remediation steps: (1) If available, upgrade Campcodes Online Teacher Record Management System to a patched version beyond 1.0 (vendor patch status unknown from provided data—contact Campcodes directly or check their official advisories); (2) As a temporary mitigation, implement Web Application Firewall (WAF) rules to detect and block SQL injection payloads in the 'searchteacher' parameter (signature: common SQL keywords like UNION, SELECT, OR, DROP in parameter values); (3) Disable or restrict network access to the /search-teacher.php endpoint using network segmentation or IP whitelisting until patching is possible; (4) Implement input validation on the 'searchteacher' parameter using a whitelist approach (alphanumeric characters only if the search use case permits); (5) Enable database query logging and monitor for suspicious SQL patterns; (6) If source code is available, refactor the search functionality to use parameterized queries (prepared statements) with bound parameters rather than string concatenation. Contact Campcodes support for official patch status and timeline.

Share

EUVD-2025-16949 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy