CVE-2025-5660 is a SQL Injection vulnerability identified in version 2.0 of the PHPGurukul Complaint Management System, specifically within the /user/register-complaint.php file. The vulnerability arises from improper sanitization or validation of the 'noc' parameter, which an attacker can manipulate to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries on the backend database without requiring user interaction or prior authentication. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting its moderate impact and ease of exploitation. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and no user interaction needed (UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the database, potentially enabling data leakage, unauthorized data modification, or denial of service. Although no public exploits are currently known in the wild, the disclosure of the vulnerability increases the risk of exploitation. The absence of patches or mitigations from the vendor at the time of publication further elevates the threat. Given that complaint management systems often store sensitive user and organizational data, exploitation could lead to significant data breaches or operational disruptions.

For European organizations using PHPGurukul Complaint Management System 2.0, this vulnerability poses a tangible risk to data confidentiality and system integrity. Attackers exploiting this SQL injection could access sensitive complaint records, personal identifiable information (PII), or internal communications, leading to privacy violations under GDPR regulations. The integrity of complaint data could be compromised, undermining trust and compliance with regulatory requirements. Additionally, attackers might disrupt complaint processing services, affecting organizational operations and customer satisfaction. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the impact might be limited by the scope of the affected functionality and the presence of other security controls. However, given the critical nature of complaint management systems in public and private sectors, any compromise could have reputational and legal consequences for European entities.

European organizations should immediately audit their use of PHPGurukul Complaint Management System 2.0 and identify any exposed instances of the /user/register-complaint.php endpoint. In the absence of an official patch, organizations should implement the following mitigations: 1) Apply input validation and parameterized queries or prepared statements to sanitize the 'noc' parameter and all user inputs interacting with the database. 2) Employ web application firewalls (WAFs) with SQL injection detection and prevention rules tailored to block malicious payloads targeting this endpoint. 3) Restrict network access to the complaint management system to trusted internal networks or VPNs to reduce exposure. 4) Monitor logs for suspicious SQL error messages or unusual database query patterns indicative of exploitation attempts. 5) Plan for an urgent update or patch deployment once the vendor releases a fix. 6) Conduct security awareness training for developers and administrators on secure coding practices and vulnerability management. These steps go beyond generic advice by focusing on immediate protective controls and proactive monitoring specific to this vulnerability.