cnvd - cnvd-2025-20919

CNVD-2025-20919

Vulnerability from cnvd - Published: 2025-09-09

Title

Beauty Parlour Management System /contact.php文件SQL注入漏洞

Description

Beauty Parlour Management System是一个是用于规范美容院经营流程、提升管理效率的软件系统。 Beauty Parlour Management System存在SQL注入漏洞，该漏洞源于文件/contact.php中参数fname缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令窃取数据库敏感数据。

Severity

高

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://phpgurukul.com/

Reference

https://github.com/xinxinwang99/CVE/issues/2

Impacted products

Name
Beauty Parlour Management System Beauty Parlour Management System 1.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-4758",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-4758"
    }
  },
  "description": "Beauty Parlour Management System\u662f\u4e00\u4e2a\u662f\u7528\u4e8e\u89c4\u8303\u7f8e\u5bb9\u9662\u7ecf\u8425\u6d41\u7a0b\u3001\u63d0\u5347\u7ba1\u7406\u6548\u7387\u7684\u8f6f\u4ef6\u7cfb\u7edf\u3002\n\nBeauty Parlour Management System\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6/contact.php\u4e2d\u53c2\u6570fname\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u7a83\u53d6\u6570\u636e\u5e93\u654f\u611f\u6570\u636e\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://phpgurukul.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-20919",
  "openTime": "2025-09-09",
  "products": {
    "product": "Beauty Parlour Management System Beauty Parlour Management System 1.1"
  },
  "referenceLink": "https://github.com/xinxinwang99/CVE/issues/2",
  "serverity": "\u9ad8",
  "submitTime": "2025-05-22",
  "title": "Beauty Parlour Management System /contact.php\u6587\u4ef6SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2025-4758 (GCVE-0-2025-4758)

Vulnerability from cvelistv5 – Published: 2025-05-16 08:00 – Updated: 2025-05-16 15:51

Title

PHPGurukul Beauty Parlour Management System contact.php sql injection

Summary

A vulnerability classified as critical has been found in PHPGurukul Beauty Parlour Management System 1.1. Affected is an unknown function of the file /contact.php. The manipulation of the argument fname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.3 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-89 - SQL Injection
CWE-74 - Injection

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.309060	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.309060	signaturepermissions-required
	https://vuldb.com/?submit.571306	third-party-advisory
	https://github.com/xinxinwang99/CVE/issues/2	exploitissue-tracking
	https://phpgurukul.com/	product

Impacted products

	Vendor	Product	Version
	PHPGurukul	Beauty Parlour Management System	Affected: 1.1

Credits

xinxinw (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4758",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-16T15:51:25.283315Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-16T15:51:39.317Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Beauty Parlour Management System",
          "vendor": "PHPGurukul",
          "versions": [
            {
              "status": "affected",
              "version": "1.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "xinxinw (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical has been found in PHPGurukul Beauty Parlour Management System 1.1. Affected is an unknown function of the file /contact.php. The manipulation of the argument fname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well."
        },
        {
          "lang": "de",
          "value": "Es wurde eine kritische Schwachstelle in PHPGurukul Beauty Parlour Management System 1.1 entdeckt. Es betrifft eine unbekannte Funktion der Datei /contact.php. Durch Manipulation des Arguments fname mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "SQL Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-16T08:00:08.881Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-309060 | PHPGurukul Beauty Parlour Management System contact.php sql injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.309060"
        },
        {
          "name": "VDB-309060 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.309060"
        },
        {
          "name": "Submit #571306 | PHPGurukul Beauty Parlour Management System V1.1 SQL Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.571306"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/xinxinwang99/CVE/issues/2"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://phpgurukul.com/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-15T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-15T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-15T11:17:20.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "PHPGurukul Beauty Parlour Management System contact.php sql injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4758",
    "datePublished": "2025-05-16T08:00:08.881Z",
    "dateReserved": "2025-05-15T09:12:07.736Z",
    "dateUpdated": "2025-05-16T15:51:39.317Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-20919

CVE-2025-4758 (GCVE-0-2025-4758)

Tags

Sightings

Nomenclature