Skip to main content

CVE-2025-6859: SQL Injection in SourceCodester Best Salon Management System

Medium
VulnerabilityCVE-2025-6859cvecve-2025-6859
Published: Sun Jun 29 2025 (06/29/2025, 12:31:06 UTC)
Source: CVE Database V5
Vendor/Project: SourceCodester
Product: Best Salon Management System

Description

A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been classified as critical. This affects an unknown part of the file /panel/pro_sale.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/29/2025, 13:09:27 UTC

Technical Analysis

CVE-2025-6859 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Best Salon Management System, specifically within the /panel/pro_sale.php file. The vulnerability arises from improper sanitization or validation of the 'fromdate' and 'todate' parameters, which are used in SQL queries. An attacker can remotely manipulate these parameters to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This can lead to unauthorized data retrieval, modification, or deletion, depending on the database privileges of the application. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. Despite the critical classification mentioned in the description, the CVSS 4.0 score is 5.3 (medium severity), reflecting limited impact on confidentiality, integrity, and availability, and the requirement of low privileges (PR:L) for exploitation. No known exploits are currently reported in the wild, but public disclosure of the exploit code increases the risk of future attacks. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been linked yet.

Potential Impact

For European organizations using the SourceCodester Best Salon Management System 1.0, this vulnerability poses a moderate risk. Successful exploitation could lead to unauthorized access to sensitive customer and business data stored in the salon management system's database, including appointment details, client personal information, and possibly payment data if stored. This could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, attackers could manipulate or delete sales records, impacting business operations and financial integrity. Since the vulnerability is remotely exploitable without authentication, attackers could target exposed management panels over the internet. However, the medium CVSS score suggests that the impact on system availability and integrity is limited, and exploitation requires some level of privilege (low privileges), which may reduce the attack surface. Organizations relying heavily on this system for daily operations could face operational disruptions if the database is compromised or corrupted.

Mitigation Recommendations

European organizations should immediately audit their deployment of the SourceCodester Best Salon Management System to determine if version 1.0 is in use and if the /panel/pro_sale.php endpoint is accessible remotely. Since no official patches are currently available, organizations should implement the following mitigations: 1) Restrict network access to the management panel by using firewalls or VPNs to limit exposure to trusted internal networks only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'fromdate' and 'todate' parameters. 3) Conduct code reviews and apply input validation and parameterized queries or prepared statements to sanitize user inputs in the affected file if source code access is available. 4) Monitor logs for suspicious query patterns or repeated failed attempts to exploit SQL injection. 5) Plan for an upgrade or migration to a newer, patched version of the software once available or consider alternative salon management solutions with better security postures. 6) Educate staff about the risks of exposing management interfaces publicly and enforce strong authentication and access controls where possible.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-28T10:47:14.216Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6861377f6f40f0eb72803b36

Added to database: 6/29/2025, 12:54:23 PM

Last enriched: 6/29/2025, 1:09:27 PM

Last updated: 6/30/2025, 8:24:28 PM

Views: 5

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats