CVE-2025-5762
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | patient_record_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical SQL injection flaw in the Patient Record Management System 1.0, specifically in the file view_hematology.php. It occurs because the parameter 'itr_no' is used directly in an SQL query without proper input validation or sanitization. This allows an attacker to manipulate the 'itr_no' parameter to execute arbitrary SQL commands remotely, potentially gaining unauthorized access to sensitive data stored in the system's database. [1, 2]
How can this vulnerability impact me? :
The vulnerability can impact you by compromising the confidentiality, integrity, and availability of the Patient Record Management System. An attacker exploiting this flaw can access sensitive patient information, alter or delete data, and disrupt system operations. Since the exploit is publicly available and remotely executable with ease, it poses a significant security risk to any organization using this software. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying requests to the vulnerable file view_hematology.php with the parameter itr_no being manipulated. One approach is to search for URLs containing "view_hematology.php" using Google Hacking techniques. On your system or network, you can monitor HTTP requests for suspicious or unusual values in the itr_no parameter that may indicate SQL injection attempts. For example, you can use tools like curl or wget to test the parameter with SQL injection payloads. A sample command to test might be: curl "http://target/view_hematology.php?itr_no=1' OR '1'='1". Additionally, web application scanners that detect SQL injection vulnerabilities can be used to automate detection. [2]
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or mitigations currently available for this vulnerability. The recommended immediate step is to replace the affected software with an alternative product. Until a patch or fix is released, restricting access to the vulnerable endpoint and monitoring for exploitation attempts may help reduce risk. [2]