EUVD-2025-18889
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability, which was classified as critical, has been found in Campcodes Online Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/forgot-password.php. The manipulation of the argument fullname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Analysis
CVE-2025-6406 is a critical SQL injection vulnerability in Campcodes Online Hospital Management System version 1.0, specifically in the /hms/forgot-password.php endpoint where the 'fullname' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of sensitive hospital patient and administrative data. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.
Technical Context
This vulnerability is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - SQL Injection) affecting the forgot-password functionality in Campcodes Online Hospital Management System 1.0. The affected file /hms/forgot-password.php fails to properly sanitize or parameterize user input in the 'fullname' parameter before incorporating it into SQL queries. The application likely constructs dynamic SQL statements using string concatenation rather than prepared statements with parameterized queries. CPE designation: cpe:2.3:a:campcodes:online_hospital_management_system:1.0:*:*:*:*:*:*:*. The root cause is improper input validation/output encoding in a PHP-based web application handling healthcare data.
Affected Products
product: Campcodes Online Hospital Management System; affected_version: 1.0; cpe: cpe:2.3:a:campcodes:online_hospital_management_system:1.0:*:*:*:*:*:*:*; vulnerable_endpoint: /hms/forgot-password.php; vulnerable_parameter: fullname; attack_vector: Network (unauthenticated, no user interaction required)
Remediation
primary: Upgrade Campcodes Online Hospital Management System to a patched version beyond 1.0 (vendor patch version not specified in available data—contact Campcodes directly or check their security advisories); immediate_mitigations: ["Apply Web Application Firewall (WAF) rules to block SQL injection patterns in forgot-password.php requests (detect quotes, UNION, SELECT, comment syntax in 'fullname' parameter)", "Implement input validation: whitelist alphanumeric characters and common name delimiters (spaces, hyphens) in 'fullname' field; reject any parameter containing SQL metacharacters", "Force parameterized queries/prepared statements in /hms/forgot-password.php using PHP PDO with placeholders: $stmt = $pdo->prepare('SELECT * FROM users WHERE fullname = ?'); $stmt->execute([$fullname]);", 'Enable SQL error suppression in production to prevent SQL error messages from leaking database structure to attackers', "Restrict database user permissions: ensure the PHP application's database account has minimal privileges (SELECT only on necessary tables, no DROP/ALTER permissions)"]; long_term: Implement secure SDLC practices: code review focusing on CWE-74 patterns, static analysis scanning (SAST) for SQL injection, security testing before release. Migrate from PHP procedural code to a modern framework (Laravel, Symfony) with built-in ORM protections.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today