CVE-2025-45021 is a SQL Injection vulnerability identified in the admin/edit-directory.php file of the PHPGurukul Directory Management System version 2.0. This vulnerability arises from improper sanitization or validation of the 'email' parameter in a POST request, allowing an attacker with at least low-level privileges to inject arbitrary SQL commands. Exploiting this flaw could enable an attacker to manipulate the backend database, potentially leading to unauthorized data access, modification, or deletion. The vulnerability requires local access (AV:L) and low privileges (PR:L), but does not require user interaction (UI:N). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is low to medium (C:L/I:L/A:L). The CVSS score is 5.3, categorizing it as a medium severity issue. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability is classified under CWE-89, which corresponds to SQL Injection, a common and critical web application security flaw. Given that the affected product is a directory management system, exploitation could compromise sensitive directory data, user credentials, or administrative information stored in the database. The attack vector being local suggests that the attacker must have some level of access to the system or network to exploit the vulnerability, limiting remote exploitation possibilities but still posing a risk in multi-user or shared environments.

For European organizations using PHPGurukul Directory Management System v2.0, this vulnerability could lead to unauthorized disclosure or alteration of directory data, which may include sensitive personal or organizational information. This could result in data breaches, loss of data integrity, and potential disruption of directory services critical for internal communications or operations. The medium severity indicates a moderate risk, but the requirement for local access and low privileges reduces the likelihood of widespread exploitation. However, in environments where multiple users have access to the system, such as universities, government agencies, or enterprises using this software for directory management, the risk is more pronounced. Compromise of directory data could facilitate further attacks, including privilege escalation or lateral movement within the network. Additionally, the absence of patches increases the window of exposure until a fix is available. Organizations may also face regulatory and compliance risks under GDPR if personal data is exposed or altered due to this vulnerability.

1. Restrict access to the admin/edit-directory.php interface strictly to trusted and authenticated users with necessary privileges, ideally through network segmentation or VPN access. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'email' parameter in POST requests. 3. Conduct thorough input validation and sanitization on all user-supplied data, especially the 'email' parameter, using parameterized queries or prepared statements to prevent SQL injection. 4. Monitor logs for unusual database queries or failed SQL commands that may indicate attempted exploitation. 5. Limit database user privileges associated with the web application to the minimum necessary to reduce impact if exploited. 6. Prepare for patch deployment by tracking vendor updates or community advisories related to PHPGurukul Directory Management System. 7. Educate administrators and users about the risks of local privilege misuse and enforce strong access controls and auditing. 8. Consider deploying intrusion detection systems (IDS) to identify suspicious activities on systems running the vulnerable software.