CVE-2025-5729
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabianros | patient_record_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5729 is a critical SQL injection vulnerability in version 1.0 of the code-projects Health Center Patient Record Management System, specifically in the file /birthing_record.php. The vulnerability occurs because the parameter itr_no is directly used in an SQL query without proper input validation or sanitization, allowing an attacker to inject malicious SQL code remotely. This can lead to unauthorized access to sensitive patient data stored in the database. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the Health Center Patient Record Management System. An attacker can remotely exploit the SQL injection flaw to access, manipulate, or delete sensitive patient records without authorization. This could lead to data breaches, loss of trust, and disruption of healthcare services. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file birthing_record.php and testing the itr_no parameter for SQL injection. One method is to use Google Dorking with the query `inurl:birthing_record.php` to identify potentially vulnerable targets. For direct testing on your system, you can use tools like sqlmap to test the parameter, for example: `sqlmap -u "http://yourserver/birthing_record.php?itr_no=1" --batch`. Additionally, manual testing by injecting SQL payloads into the itr_no parameter and observing the response can help detect the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been published for this vulnerability. The suggested immediate step is to replace the affected software (code-projects Health Center Patient Record Management System version 1.0) with an alternative product that does not contain this vulnerability. Until a patch or fix is available, restricting access to the vulnerable endpoint and monitoring for exploitation attempts is advisable. [2]