CVE-2024-44654 identifies an SQL Injection vulnerability in PHPGurukul Complaint Management System version 2.0, specifically in the reset-password.php script. The vulnerability arises because the email and mobileno parameters are not properly sanitized or parameterized before being used in SQL queries. This allows an attacker to craft malicious input that alters the intended SQL command, potentially extracting or modifying sensitive data from the backend database. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity but not availability. Although no public exploits have been reported, the presence of this vulnerability in a complaint management system poses a significant risk to data confidentiality and integrity, especially as such systems often store sensitive personal and complaint-related information. The lack of available patches necessitates immediate mitigation efforts by administrators. The CWE-89 classification confirms this is a classic SQL Injection flaw, a well-understood and commonly exploited vulnerability type.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of personal data, including complainants' contact information and complaint details, violating GDPR and other data protection regulations. The integrity of complaint records could also be compromised, undermining trust in complaint handling processes and potentially affecting legal or regulatory outcomes. While availability is not impacted, the breach of confidentiality and integrity can cause reputational damage, legal penalties, and operational disruptions. Public sector entities, consumer rights organizations, and companies relying on PHPGurukul Complaint Management System for customer service are particularly at risk. The medium severity rating reflects the balance between the ease of exploitation and the limited scope of impact (no availability loss). However, given the sensitive nature of complaint data, the consequences of exploitation could be severe in regulated environments.

Administrators should immediately implement input validation and sanitization on the email and mobileno parameters to prevent malicious SQL input. The best practice is to refactor the code to use parameterized queries or prepared statements to eliminate SQL Injection risks. If source code modification is not immediately feasible, deploying a Web Application Firewall (WAF) with SQL Injection detection rules can provide temporary protection. Regularly audit and monitor database logs for unusual queries or access patterns indicative of exploitation attempts. Organizations should also review and restrict database user privileges to minimize potential damage from successful injection attacks. Since no official patches are currently available, contacting the vendor for updates or guidance is recommended. Additionally, ensure that backups of complaint data are maintained securely to enable recovery in case of data integrity compromise.