CVE-2025-7200: SQL Injection in krishna9772 Pharmacy Management System
A vulnerability, which was classified as critical, was found in krishna9772 Pharmacy Management System up to a2efc8442931ec9308f3b4cf4778e5701153f4e5. Affected is an unknown function of the file quantity_upd.php. The manipulation of the argument med_name/med_cat/ex_date leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
AI Analysis
Technical Summary
CVE-2025-7200 is a SQL Injection vulnerability identified in the krishna9772 Pharmacy Management System, specifically affecting an unknown function within the file quantity_upd.php. The vulnerability arises from improper sanitization of user-controllable input parameters such as med_name, med_cat, and ex_date. An attacker can remotely manipulate these parameters to inject malicious SQL queries, potentially compromising the backend database. This could allow unauthorized data access, data modification, or even deletion, depending on the database privileges. The product uses continuous delivery with rolling releases, which complicates precise version tracking and patch availability. The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no user interaction, but requiring low privileges and partial impact on confidentiality, integrity, and availability. The lack of authentication requirement for exploitation is not explicitly stated, but the CVSS vector indicates privileges required are low, suggesting some level of authentication may be needed. Overall, this vulnerability poses a moderate risk to affected systems, especially given the critical nature of pharmacy management data and the potential for data breaches or operational disruption.
Potential Impact
For European organizations, the impact of this vulnerability can be significant due to the sensitive nature of pharmacy management systems, which handle critical healthcare data including medication inventories, expiration dates, and patient prescriptions. Exploitation could lead to unauthorized disclosure of sensitive health information, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Integrity compromise could cause incorrect medication dispensing records, risking patient safety. Availability impact could disrupt pharmacy operations, affecting healthcare delivery. Given the interconnected nature of healthcare providers and pharmacies in Europe, a successful attack could propagate risks across supply chains and healthcare networks. The medium CVSS score suggests moderate ease of exploitation and impact, but the criticality of healthcare data elevates the practical risk. The continuous delivery model may delay patch deployment, increasing exposure time.
Mitigation Recommendations
Specific mitigation steps include: 1) Immediate code review and sanitization of all input parameters in quantity_upd.php, especially med_name, med_cat, and ex_date, using parameterized queries or prepared statements to prevent SQL injection. 2) Implement strict input validation and whitelist acceptable input formats for these parameters. 3) Enforce least privilege principles on database accounts used by the application to limit damage scope if exploited. 4) Monitor application logs for unusual query patterns or repeated failed attempts targeting these parameters. 5) Since no official patch is currently available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoints. 6) Conduct penetration testing focused on injection vectors to verify remediation effectiveness. 7) Engage with the vendor or community to track updates or patches due to the rolling release model. 8) Ensure regular backups of the database to enable recovery in case of data tampering. 9) Educate staff about the risks and signs of exploitation to enable rapid response.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden
CVE-2025-7200: SQL Injection in krishna9772 Pharmacy Management System
Description
A vulnerability, which was classified as critical, was found in krishna9772 Pharmacy Management System up to a2efc8442931ec9308f3b4cf4778e5701153f4e5. Affected is an unknown function of the file quantity_upd.php. The manipulation of the argument med_name/med_cat/ex_date leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
AI-Powered Analysis
Technical Analysis
CVE-2025-7200 is a SQL Injection vulnerability identified in the krishna9772 Pharmacy Management System, specifically affecting an unknown function within the file quantity_upd.php. The vulnerability arises from improper sanitization of user-controllable input parameters such as med_name, med_cat, and ex_date. An attacker can remotely manipulate these parameters to inject malicious SQL queries, potentially compromising the backend database. This could allow unauthorized data access, data modification, or even deletion, depending on the database privileges. The product uses continuous delivery with rolling releases, which complicates precise version tracking and patch availability. The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no user interaction, but requiring low privileges and partial impact on confidentiality, integrity, and availability. The lack of authentication requirement for exploitation is not explicitly stated, but the CVSS vector indicates privileges required are low, suggesting some level of authentication may be needed. Overall, this vulnerability poses a moderate risk to affected systems, especially given the critical nature of pharmacy management data and the potential for data breaches or operational disruption.
Potential Impact
For European organizations, the impact of this vulnerability can be significant due to the sensitive nature of pharmacy management systems, which handle critical healthcare data including medication inventories, expiration dates, and patient prescriptions. Exploitation could lead to unauthorized disclosure of sensitive health information, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Integrity compromise could cause incorrect medication dispensing records, risking patient safety. Availability impact could disrupt pharmacy operations, affecting healthcare delivery. Given the interconnected nature of healthcare providers and pharmacies in Europe, a successful attack could propagate risks across supply chains and healthcare networks. The medium CVSS score suggests moderate ease of exploitation and impact, but the criticality of healthcare data elevates the practical risk. The continuous delivery model may delay patch deployment, increasing exposure time.
Mitigation Recommendations
Specific mitigation steps include: 1) Immediate code review and sanitization of all input parameters in quantity_upd.php, especially med_name, med_cat, and ex_date, using parameterized queries or prepared statements to prevent SQL injection. 2) Implement strict input validation and whitelist acceptable input formats for these parameters. 3) Enforce least privilege principles on database accounts used by the application to limit damage scope if exploited. 4) Monitor application logs for unusual query patterns or repeated failed attempts targeting these parameters. 5) Since no official patch is currently available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoints. 6) Conduct penetration testing focused on injection vectors to verify remediation effectiveness. 7) Engage with the vendor or community to track updates or patches due to the rolling release model. 8) Ensure regular backups of the database to enable recovery in case of data tampering. 9) Educate staff about the risks and signs of exploitation to enable rapid response.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-07-07T08:52:55.847Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 686da52a6f40f0eb72fc4561
Added to database: 7/8/2025, 11:09:30 PM
Last enriched: 7/8/2025, 11:24:33 PM
Last updated: 7/9/2025, 1:04:00 AM
Views: 3
Related Threats
CVE-2025-7215: Cleartext Storage of Sensitive Information in FNKvision FNK-GU2
LowCVE-2025-7214: Risky Cryptographic Algorithm in FNKvision FNK-GU2
LowCVE-2025-7059: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jdegayojr Simple Featured Image
MediumCVE-2025-4606: CWE-620 Unverified Password Change in uxper Sala - Startup & SaaS WordPress Theme
CriticalCVE-2025-7213: On-Chip Debug and Test Interface With Improper Access Control in FNKvision FNK-GU2
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.