Skip to main content

CVE-2025-4155: SQL Injection in PHPGurukul Boat Booking System

Medium
VulnerabilityCVE-2025-4155cvecve-2025-4155
Published: Thu May 01 2025 (05/01/2025, 07:31:05 UTC)
Source: CVE
Vendor/Project: PHPGurukul
Product: Boat Booking System

Description

A vulnerability, which was classified as critical, was found in PHPGurukul Boat Booking System 1.0. This affects an unknown part of the file /admin/edit-boat.php. The manipulation of the argument bid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/25/2025, 21:13:16 UTC

Technical Analysis

CVE-2025-4155 is a SQL Injection vulnerability identified in version 1.0 of the PHPGurukul Boat Booking System, specifically within the /admin/edit-boat.php file. The vulnerability arises from improper sanitization or validation of the 'bid' parameter, which is used to identify a boat record for editing. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the intended SQL query executed by the backend database. This can lead to unauthorized data access, modification, or deletion within the database. The vulnerability does not require user interaction and can be exploited without authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and requiring low privileges (PR:L) but no user interaction (UI:N). The vulnerability scope is local to the affected component without system-wide impact (SC:N). Although no known exploits are currently active in the wild, the public disclosure of the exploit code increases the likelihood of exploitation attempts. The affected product is a niche boat booking system, which may be deployed by maritime service providers or tourism operators. The vulnerability's exploitation could allow attackers to extract sensitive booking data, manipulate booking records, or disrupt service availability, potentially impacting business operations and customer trust.

Potential Impact

For European organizations using the PHPGurukul Boat Booking System 1.0, this vulnerability poses a risk of unauthorized database access and manipulation. Given the system's role in managing bookings, exploitation could lead to exposure of personal customer data, including names, contact details, and booking histories, violating GDPR requirements and resulting in regulatory penalties. Data integrity could be compromised by unauthorized modification or deletion of booking records, leading to operational disruptions and financial losses. Availability impact is limited but possible if attackers execute destructive SQL commands. The medium CVSS score reflects that while the vulnerability requires some privilege level, it does not need user interaction, making it moderately accessible to attackers with limited access. European maritime and tourism sectors relying on this system could face reputational damage and operational challenges if exploited. Additionally, the lack of a patch or mitigation guidance increases the urgency for organizations to implement compensating controls.

Mitigation Recommendations

Immediately restrict access to the /admin/edit-boat.php endpoint to trusted administrators only, using network-level controls such as IP whitelisting or VPN access. Implement web application firewall (WAF) rules specifically targeting SQL injection patterns on the 'bid' parameter to detect and block malicious payloads. Conduct a thorough code review and apply input validation and parameterized queries (prepared statements) to sanitize the 'bid' parameter and other user inputs in the application. If possible, upgrade or replace the PHPGurukul Boat Booking System with a version or alternative product that addresses this vulnerability. Monitor database logs for unusual queries or access patterns that may indicate exploitation attempts. Enforce the principle of least privilege on database accounts used by the application, limiting permissions to only necessary operations to reduce potential damage from injection attacks. Prepare an incident response plan specific to potential data breaches involving booking data, including notification procedures compliant with GDPR. Regularly back up booking system databases and verify backup integrity to enable recovery in case of data corruption or deletion.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-04-30T18:26:40.394Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682d9839c4522896dcbec939

Added to database: 5/21/2025, 9:09:13 AM

Last enriched: 6/25/2025, 9:13:16 PM

Last updated: 7/30/2025, 11:17:33 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats