CVE-2025-1906
Published: 04 March 2025
Summary
CVE-2025-1906 is a medium-severity Injection (CWE-74) vulnerability in Phpgurukul Restaurant Table Booking System. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the 'mobilenumber' parameter in /admin/profile.php.
Mandates identification, reporting, and correction of flaws such as the SQL injection vulnerability in this CVE to eliminate the root cause.
Boundary protection with web application firewalls blocks SQL injection attempts on the vulnerable /admin/profile.php endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable SQL injection vulnerability in a web application (/admin/profile.php), directly enabling the T1190 technique of exploiting public-facing applications to achieve limited confidentiality, integrity, and availability impacts.
NVD Description
A vulnerability has been found in PHPGurukul Restaurant Table Booking System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be initiated…
more
remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Deeper analysisAI
CVE-2025-1906 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Restaurant Table Booking System 1.0, published on 2025-03-04. The flaw resides in unknown code within the /admin/profile.php file, where manipulation of the 'mobilenumber' argument enables SQL injection. The vulnerability is remotely exploitable, and other parameters may also be affected.
A remote attacker with high privileges (PR:H) can exploit this issue with low attack complexity (AC:L) over the network (AV:N) and without user interaction (UI:N), as indicated by the CVSS v3.1 base score of 4.7 (C:L/I:L/A:L/S:U). Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories provide further details on the vulnerability, including exploit information disclosed publicly via a GitHub issue at https://github.com/HaroldFinch-L/CVE/issues/2 and VulDB entries at https://vuldb.com/?ctiid.298426, https://vuldb.com/?id.298426, and https://vuldb.com/?submit.508915. The vendor website is https://phpgurukul.com/.
Details
- CWE(s)