Skip to main content

CVE-2025-25351: n/a

Critical
VulnerabilityCVE-2025-25351cvecve-2025-25351
Published: Wed Feb 12 2025 (02/12/2025, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

PHPGurukul Daily Expense Tracker System v1.1 is vulnerable to SQL Injection in /dets/add-expense.php via the dateexpense parameter.

AI-Powered Analysis

AILast updated: 07/12/2025, 04:17:03 UTC

Technical Analysis

CVE-2025-25351 is a critical SQL Injection vulnerability identified in the PHPGurukul Daily Expense Tracker System version 1.1. The vulnerability exists in the /dets/add-expense.php script, specifically via the 'dateexpense' parameter. SQL Injection (CWE-89) allows an attacker to manipulate backend SQL queries by injecting malicious input, potentially leading to unauthorized data access, data modification, or complete system compromise. This vulnerability is remotely exploitable over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability affects confidentiality, integrity, and availability of the system, with a CVSS v3.1 score of 9.8 (critical). Although no known exploits are currently reported in the wild, the ease of exploitation and the high impact make this a severe threat. The lack of available patches or vendor information increases the risk, as organizations using this software may remain exposed until mitigations or updates are applied.

Potential Impact

For European organizations using the PHPGurukul Daily Expense Tracker System v1.1, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive financial data, manipulation of expense records, and potential disruption of financial tracking operations. This could result in financial loss, regulatory non-compliance (e.g., GDPR violations due to data breaches), reputational damage, and operational downtime. Given the critical nature of the vulnerability and its ability to be exploited remotely without authentication, attackers could leverage this flaw to gain persistent access or pivot within the network. Organizations in sectors such as finance, government, and SMEs that rely on this software for expense management are particularly vulnerable.

Mitigation Recommendations

1. Immediate mitigation should include restricting access to the /dets/add-expense.php endpoint via network controls such as firewalls or VPNs to limit exposure. 2. Implement web application firewall (WAF) rules specifically targeting SQL Injection patterns on the 'dateexpense' parameter to block malicious payloads. 3. Conduct a thorough code review and apply parameterized queries or prepared statements to sanitize all user inputs, especially the 'dateexpense' parameter, to eliminate SQL Injection risks. 4. If possible, isolate the expense tracker system in a segmented network zone to minimize lateral movement in case of compromise. 5. Monitor logs for suspicious database query patterns or anomalies related to the vulnerable endpoint. 6. Engage with the software vendor or community to obtain patches or updates; if unavailable, consider migrating to alternative, secure expense tracking solutions. 7. Educate developers and administrators on secure coding practices and regular vulnerability assessments to prevent similar issues.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-02-07T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9816c4522896dcbd6d8e

Added to database: 5/21/2025, 9:08:38 AM

Last enriched: 7/12/2025, 4:17:03 AM

Last updated: 8/11/2025, 10:14:58 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats