EUVD-2025-19075

| CVE-2025-6580 HIGH
2025-06-24 [email protected]
SQLi Best Salon Management System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19075
PoC Detected
Jul 02, 2025 - 17:13 vuln.today
Public exploit code
CVE Published
Jun 24, 2025 - 22:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability classified as critical has been found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the component Login. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6580 is a critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 affecting the Login component's Username parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing exploitation risk.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in the authentication/login mechanism. The vulnerability exists in the Username input parameter of the Login component, which fails to properly sanitize or parameterize user input before incorporating it into SQL queries. SourceCodester Best Salon Management System 1.0 appears to be a PHP-based web application for salon business management. The root cause is insufficient input validation and the likely absence of prepared statements or parameterized queries in the authentication logic. Attackers can inject malicious SQL syntax (e.g., ' OR '1'='1) to bypass authentication, extract sensitive data from the database, or modify records. CWE-74 specifically covers improper neutralization of special elements in SQL commands, which is the direct cause here.

RemediationAI

Immediate actions: (1) Upgrade SourceCodester Best Salon Management System to the latest patched version if available; contact vendor SourceCodester for security updates; (2) If patching is unavailable, implement input validation/WAF rules to block SQL injection attempts in the Login Username parameter (block single quotes, SQL keywords, comment sequences); (3) Implement prepared statements and parameterized queries in all database interactions, particularly authentication code; (4) Apply principle of least privilege to database user accounts; (5) Enable SQL query logging and monitoring; (6) Disable or restrict direct database access from the web application. Temporary mitigation: Deploy Web Application Firewall (WAF) rules to sanitize SQL injection payloads until patching is possible. Code-level fix: Replace string concatenation in SQL queries with prepared statements (parameterized queries) using the application's database library.

Share

EUVD-2025-19075 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy