CVE-2025-6861: SQL Injection in SourceCodester Best Salon Management System
A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /panel/add_plan.php. The manipulation of the argument plan_name/description/duration_days/price leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-6861 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Best Salon Management System, specifically affecting the /panel/add_plan.php endpoint. The vulnerability arises from improper sanitization and validation of user-supplied input parameters: plan_name, description, duration_days, and price. An attacker can manipulate these parameters to inject malicious SQL code, which the backend database executes. This can lead to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability is remotely exploitable without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). However, a low level of privileges (PR:L) is required, suggesting that the attacker must have some authenticated access, possibly as a low-privileged user. The CVSS 4.0 base score is 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and the presence of some mitigating factors such as required privileges and limited scope. No public exploits are known to be actively used in the wild yet, but the exploit details have been disclosed publicly, increasing the risk of future exploitation. The lack of available patches or vendor advisories at this time heightens the urgency for organizations using this system to implement mitigations. The vulnerability could allow attackers to extract sensitive customer or business data, alter pricing or service plans, or disrupt salon management operations, potentially causing financial and reputational damage.
Potential Impact
For European organizations using the SourceCodester Best Salon Management System version 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of their business data. Salons and related service providers could face unauthorized disclosure of client information, including personal and payment details, leading to privacy violations under GDPR. Data tampering could disrupt service offerings, pricing, and scheduling, impacting business continuity and customer trust. Although the vulnerability requires some level of authenticated access, insider threats or compromised low-privilege accounts could be leveraged by attackers to escalate damage. The medium CVSS score suggests moderate risk, but the public disclosure of exploit details increases the likelihood of exploitation attempts. European organizations with limited cybersecurity resources or lacking timely patch management may be particularly vulnerable. Additionally, the absence of vendor patches means organizations must rely on compensating controls to mitigate risk until an official fix is available.
Mitigation Recommendations
1. Restrict access to the /panel/add_plan.php endpoint to trusted and authenticated users only, implementing strict access controls and monitoring. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable parameters (plan_name, description, duration_days, price). 3. Conduct thorough input validation and sanitization on all user-supplied data, ideally using parameterized queries or prepared statements to prevent SQL injection. 4. Monitor application logs and database queries for anomalous activities indicative of injection attempts. 5. Implement multi-factor authentication (MFA) to reduce the risk of credential compromise leading to exploitation. 6. Isolate the salon management system within a segmented network zone to limit lateral movement in case of compromise. 7. Regularly back up critical data and test restoration procedures to ensure resilience against data tampering or loss. 8. Engage with the vendor or community to track patch releases and apply updates promptly once available. 9. Educate staff about phishing and credential security to minimize the risk of account compromise that could facilitate exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-6861: SQL Injection in SourceCodester Best Salon Management System
Description
A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /panel/add_plan.php. The manipulation of the argument plan_name/description/duration_days/price leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-6861 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Best Salon Management System, specifically affecting the /panel/add_plan.php endpoint. The vulnerability arises from improper sanitization and validation of user-supplied input parameters: plan_name, description, duration_days, and price. An attacker can manipulate these parameters to inject malicious SQL code, which the backend database executes. This can lead to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability is remotely exploitable without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). However, a low level of privileges (PR:L) is required, suggesting that the attacker must have some authenticated access, possibly as a low-privileged user. The CVSS 4.0 base score is 5.3, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and the presence of some mitigating factors such as required privileges and limited scope. No public exploits are known to be actively used in the wild yet, but the exploit details have been disclosed publicly, increasing the risk of future exploitation. The lack of available patches or vendor advisories at this time heightens the urgency for organizations using this system to implement mitigations. The vulnerability could allow attackers to extract sensitive customer or business data, alter pricing or service plans, or disrupt salon management operations, potentially causing financial and reputational damage.
Potential Impact
For European organizations using the SourceCodester Best Salon Management System version 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of their business data. Salons and related service providers could face unauthorized disclosure of client information, including personal and payment details, leading to privacy violations under GDPR. Data tampering could disrupt service offerings, pricing, and scheduling, impacting business continuity and customer trust. Although the vulnerability requires some level of authenticated access, insider threats or compromised low-privilege accounts could be leveraged by attackers to escalate damage. The medium CVSS score suggests moderate risk, but the public disclosure of exploit details increases the likelihood of exploitation attempts. European organizations with limited cybersecurity resources or lacking timely patch management may be particularly vulnerable. Additionally, the absence of vendor patches means organizations must rely on compensating controls to mitigate risk until an official fix is available.
Mitigation Recommendations
1. Restrict access to the /panel/add_plan.php endpoint to trusted and authenticated users only, implementing strict access controls and monitoring. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable parameters (plan_name, description, duration_days, price). 3. Conduct thorough input validation and sanitization on all user-supplied data, ideally using parameterized queries or prepared statements to prevent SQL injection. 4. Monitor application logs and database queries for anomalous activities indicative of injection attempts. 5. Implement multi-factor authentication (MFA) to reduce the risk of credential compromise leading to exploitation. 6. Isolate the salon management system within a segmented network zone to limit lateral movement in case of compromise. 7. Regularly back up critical data and test restoration procedures to ensure resilience against data tampering or loss. 8. Engage with the vendor or community to track patch releases and apply updates promptly once available. 9. Educate staff about phishing and credential security to minimize the risk of account compromise that could facilitate exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-28T10:47:20.046Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 686149136f40f0eb7280937a
Added to database: 6/29/2025, 2:09:23 PM
Last enriched: 6/29/2025, 2:24:31 PM
Last updated: 7/1/2025, 7:57:52 AM
Views: 6
Related Threats
CVE-2025-49489: CWE-404 Improper Resource Shutdown or Release in ASR Falcon_Linux、Kestrel、Lapwing_Linux
MediumCVE-2025-6756: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themefic Ultra Addons for Contact Form 7
MediumCVE-2025-5072: CWE-404 Improper Resource Shutdown or Release in ASR Falcon_Linux、Kestrel、Lapwing_Linux
MediumCVE-2025-41656: CWE-306 Missing Authentication for Critical Function in Pilz IndustrialPI 4 with Firmware Bullseye
CriticalCVE-2025-41648: CWE-704 Incorrect Type Conversion or Cast in Pilz IndustrialPI 4 with IndustrialPI webstatus
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.