Skip to main content

CVE-2025-4176: SQL Injection in PHPGurukul Blood Bank & Donor Management System

Medium
VulnerabilityCVE-2025-4176cvecve-2025-4176
Published: Thu May 01 2025 (05/01/2025, 21:31:05 UTC)
Source: CVE
Vendor/Project: PHPGurukul
Product: Blood Bank & Donor Management System

Description

A vulnerability has been found in PHPGurukul Blood Bank & Donor Management System 2.4 and classified as critical. This vulnerability affects unknown code of the file /admin/request-received-bydonar.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/26/2025, 02:01:58 UTC

Technical Analysis

CVE-2025-4176 is a SQL Injection vulnerability identified in version 2.4 of the PHPGurukul Blood Bank & Donor Management System, specifically within the /admin/request-received-bydonar.php file. The vulnerability arises due to improper sanitization or validation of the 'searchdata' parameter, which is directly used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This can lead to unauthorized data retrieval, modification, or deletion, compromising the confidentiality, integrity, and availability of sensitive blood bank and donor data. The vulnerability requires no authentication or user interaction, making it exploitable by any remote attacker with network access to the affected system. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction required, but with limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The affected product is a specialized healthcare management system used to manage blood bank inventories and donor information, which often contains sensitive personal and medical data. The lack of available patches or mitigation details further elevates the risk for organizations relying on this software version.

Potential Impact

For European organizations, particularly healthcare providers, blood banks, and associated medical institutions using PHPGurukul Blood Bank & Donor Management System 2.4, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive donor and patient information, violating GDPR and other data protection regulations. Data integrity could be compromised, affecting the accuracy of blood inventory and donor records, potentially leading to operational disruptions and patient safety risks. Additionally, attackers could disrupt service availability by manipulating or deleting critical data, impacting emergency medical services. The exposure of personal health information could result in reputational damage, regulatory fines, and legal liabilities. Given the critical nature of blood bank operations, even limited downtime or data corruption can have severe consequences for healthcare delivery.

Mitigation Recommendations

1. Immediate mitigation should include implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'searchdata' parameter in /admin/request-received-bydonar.php. 2. Conduct a thorough code review and apply input validation and parameterized queries (prepared statements) to sanitize all user inputs, especially 'searchdata'. 3. If possible, upgrade to a newer, patched version of the PHPGurukul Blood Bank & Donor Management System once available. 4. Restrict network access to the administrative interface to trusted IP addresses or VPN-only access to reduce exposure. 5. Monitor database logs and application logs for unusual queries or access patterns indicative of exploitation attempts. 6. Regularly back up critical data with integrity checks to enable recovery in case of data tampering or loss. 7. Educate system administrators about the vulnerability and ensure timely application of security updates. 8. Consider deploying database activity monitoring tools to detect anomalous SQL commands in real-time.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-01T12:36:21.209Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682d9838c4522896dcbebe20

Added to database: 5/21/2025, 9:09:12 AM

Last enriched: 6/26/2025, 2:01:58 AM

Last updated: 8/15/2025, 11:59:06 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats