CVE-2025-5298 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Hospital Management System, specifically within an unspecified function in the /admin/betweendates-detailsreports.php file. The vulnerability arises from improper sanitization or validation of the 'fromdate' and 'todate' input parameters, which are used to filter report data between specified dates. An attacker can manipulate these parameters to inject malicious SQL code, potentially allowing unauthorized access to the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the ease of exploitation (network vector, low attack complexity, no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (low to limited impact). The vulnerability does not appear to have a known exploit in the wild yet, but public disclosure means attackers could develop exploits. Given the nature of hospital management systems, which store sensitive patient data and operational information, exploitation could lead to unauthorized data disclosure, data manipulation, or disruption of hospital reporting functions. The lack of available patches or mitigations from the vendor increases the urgency for organizations to implement compensating controls.

For European organizations, particularly healthcare providers using Campcodes Online Hospital Management System 1.0, this vulnerability poses a significant risk to patient data confidentiality and system integrity. Exploitation could lead to unauthorized access to sensitive medical records, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Additionally, manipulation of reporting data could disrupt hospital operations and decision-making processes. The remote and unauthenticated nature of the attack vector increases the likelihood of exploitation by external threat actors, including cybercriminals and state-sponsored groups targeting healthcare infrastructure. This could undermine trust in healthcare services and potentially impact patient safety if critical data is altered or deleted. The medium CVSS score suggests that while the impact is not catastrophic, the risk remains substantial due to the sensitive nature of the data and the critical role of hospital management systems in healthcare delivery.

Given the absence of official patches, European healthcare organizations should immediately implement the following mitigations: 1) Apply strict input validation and sanitization on the 'fromdate' and 'todate' parameters at the web application firewall (WAF) or reverse proxy level to block SQL injection payloads. 2) Employ parameterized queries or prepared statements in the application code if source code access is possible, to eliminate SQL injection vectors. 3) Restrict access to the /admin/betweendates-detailsreports.php endpoint to trusted internal networks or VPN users only, reducing exposure to external attackers. 4) Monitor web server and database logs for suspicious query patterns or repeated access attempts to the vulnerable endpoint. 5) Conduct regular security assessments and penetration testing focused on input validation weaknesses. 6) Implement database user privilege restrictions to limit the impact of any successful injection, ensuring the database user account used by the application has minimal permissions. 7) Prepare incident response plans specific to healthcare data breaches to ensure rapid containment and notification in case of exploitation.