EUVD-2025-18875

| CVE-2025-6404 HIGH
2025-06-21 [email protected]
PHP SQLi Online Teacher Record Management System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 21:35 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 21:35 euvd
EUVD-2025-18875
PoC Detected
Jun 24, 2025 - 19:33 vuln.today
Public exploit code
CVE Published
Jun 21, 2025 - 12:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability classified as critical has been found in Campcodes Online Teacher Record Management System 1.0. Affected is an unknown function of the file /admin/search.php. The manipulation of the argument searchdata leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6404 is a critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, specifically in the /admin/search.php file's searchdata parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the database. Public disclosure and available proof-of-concept code indicate active exploitation is possible and likely occurring.

Technical ContextAI

The vulnerability exists in a PHP-based web application (Campcodes Online Teacher Record Management System) that handles administrative search functionality. The /admin/search.php endpoint accepts user-supplied input via the 'searchdata' parameter without proper input validation or parameterized query preparation, allowing direct SQL injection attacks. This represents a CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) vulnerability where unsanitized user input is passed directly into SQL query construction. The affected product is a learning management system targeting educational institutions, making it particularly sensitive due to handling of student and teacher records.

RemediationAI

Immediate actions: (1) Disable or restrict access to /admin/search.php until patching is complete; (2) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the searchdata parameter (e.g., detecting single quotes, UNION keywords, comments); (3) Review database logs for suspicious query patterns indicating exploitation attempts. Long-term: (1) Contact Campcodes vendor immediately for patched version availability; (2) Upgrade to the patched version as soon as released; (3) Implement prepared statements/parameterized queries for all database interactions; (4) Conduct code review of all search functionality for similar vulnerabilities; (5) Implement input validation using whitelist approach for searchdata parameter; (6) Apply principle of least privilege to database accounts used by the application.

Share

EUVD-2025-18875 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy