CVE-2025-6859 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Best Salon Management System, specifically within the /panel/pro_sale.php file. The vulnerability arises from improper sanitization or validation of the 'fromdate' and 'todate' parameters, which are used in SQL queries. An attacker can remotely manipulate these parameters to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This can lead to unauthorized data retrieval, modification, or deletion, depending on the database privileges of the application. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. Despite the critical classification mentioned in the description, the CVSS 4.0 score is 5.3 (medium severity), reflecting limited impact on confidentiality, integrity, and availability, and the requirement of low privileges (PR:L) for exploitation. No known exploits are currently reported in the wild, but public disclosure of the exploit code increases the risk of future attacks. The vulnerability affects only version 1.0 of the product, and no official patches or mitigations have been linked yet.

For European organizations using the SourceCodester Best Salon Management System 1.0, this vulnerability poses a moderate risk. Successful exploitation could lead to unauthorized access to sensitive customer and business data stored in the salon management system's database, including appointment details, client personal information, and possibly payment data if stored. This could result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, attackers could manipulate or delete sales records, impacting business operations and financial integrity. Since the vulnerability is remotely exploitable without authentication, attackers could target exposed management panels over the internet. However, the medium CVSS score suggests that the impact on system availability and integrity is limited, and exploitation requires some level of privilege (low privileges), which may reduce the attack surface. Organizations relying heavily on this system for daily operations could face operational disruptions if the database is compromised or corrupted.

European organizations should immediately audit their deployment of the SourceCodester Best Salon Management System to determine if version 1.0 is in use and if the /panel/pro_sale.php endpoint is accessible remotely. Since no official patches are currently available, organizations should implement the following mitigations: 1) Restrict network access to the management panel by using firewalls or VPNs to limit exposure to trusted internal networks only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'fromdate' and 'todate' parameters. 3) Conduct code reviews and apply input validation and parameterized queries or prepared statements to sanitize user inputs in the affected file if source code access is available. 4) Monitor logs for suspicious query patterns or repeated failed attempts to exploit SQL injection. 5) Plan for an upgrade or migration to a newer, patched version of the software once available or consider alternative salon management solutions with better security postures. 6) Educate staff about the risks of exposing management interfaces publicly and enforce strong authentication and access controls where possible.