Skip to main content

CVE-2025-7200: SQL Injection in krishna9772 Pharmacy Management System

Medium
VulnerabilityCVE-2025-7200cvecve-2025-7200
Published: Tue Jul 08 2025 (07/08/2025, 23:02:05 UTC)
Source: CVE Database V5
Vendor/Project: krishna9772
Product: Pharmacy Management System

Description

A vulnerability, which was classified as critical, was found in krishna9772 Pharmacy Management System up to a2efc8442931ec9308f3b4cf4778e5701153f4e5. Affected is an unknown function of the file quantity_upd.php. The manipulation of the argument med_name/med_cat/ex_date leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

AI-Powered Analysis

AILast updated: 07/08/2025, 23:24:33 UTC

Technical Analysis

CVE-2025-7200 is a SQL Injection vulnerability identified in the krishna9772 Pharmacy Management System, specifically affecting an unknown function within the file quantity_upd.php. The vulnerability arises from improper sanitization of user-controllable input parameters such as med_name, med_cat, and ex_date. An attacker can remotely manipulate these parameters to inject malicious SQL queries, potentially compromising the backend database. This could allow unauthorized data access, data modification, or even deletion, depending on the database privileges. The product uses continuous delivery with rolling releases, which complicates precise version tracking and patch availability. The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no user interaction, but requiring low privileges and partial impact on confidentiality, integrity, and availability. The lack of authentication requirement for exploitation is not explicitly stated, but the CVSS vector indicates privileges required are low, suggesting some level of authentication may be needed. Overall, this vulnerability poses a moderate risk to affected systems, especially given the critical nature of pharmacy management data and the potential for data breaches or operational disruption.

Potential Impact

For European organizations, the impact of this vulnerability can be significant due to the sensitive nature of pharmacy management systems, which handle critical healthcare data including medication inventories, expiration dates, and patient prescriptions. Exploitation could lead to unauthorized disclosure of sensitive health information, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Integrity compromise could cause incorrect medication dispensing records, risking patient safety. Availability impact could disrupt pharmacy operations, affecting healthcare delivery. Given the interconnected nature of healthcare providers and pharmacies in Europe, a successful attack could propagate risks across supply chains and healthcare networks. The medium CVSS score suggests moderate ease of exploitation and impact, but the criticality of healthcare data elevates the practical risk. The continuous delivery model may delay patch deployment, increasing exposure time.

Mitigation Recommendations

Specific mitigation steps include: 1) Immediate code review and sanitization of all input parameters in quantity_upd.php, especially med_name, med_cat, and ex_date, using parameterized queries or prepared statements to prevent SQL injection. 2) Implement strict input validation and whitelist acceptable input formats for these parameters. 3) Enforce least privilege principles on database accounts used by the application to limit damage scope if exploited. 4) Monitor application logs for unusual query patterns or repeated failed attempts targeting these parameters. 5) Since no official patch is currently available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoints. 6) Conduct penetration testing focused on injection vectors to verify remediation effectiveness. 7) Engage with the vendor or community to track updates or patches due to the rolling release model. 8) Ensure regular backups of the database to enable recovery in case of data tampering. 9) Educate staff about the risks and signs of exploitation to enable rapid response.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-07-07T08:52:55.847Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 686da52a6f40f0eb72fc4561

Added to database: 7/8/2025, 11:09:30 PM

Last enriched: 7/8/2025, 11:24:33 PM

Last updated: 7/9/2025, 1:04:00 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats