CVE-2025-6609
BaseFortify
Publication date: 2025-06-25
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayurik | best_salon_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6609 is a critical SQL injection vulnerability in the Best Salon Management System version 1.0, specifically in the file /panel/bwdates-reports-details.php. The vulnerability occurs because the parameters 'fromdate' and 'todate' are not properly sanitized, allowing an attacker to inject malicious SQL code. This can be exploited remotely, and in some cases without authentication, to manipulate the database queries, potentially leading to unauthorized access or data theft. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary SQL commands on your database through the vulnerable parameters. This can lead to unauthorized disclosure of sensitive information, modification or deletion of data, and disruption of service availability. Since the exploit is publicly available and can be performed remotely, it poses a significant risk to the confidentiality, integrity, and availability of your system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/panel/bwdates-reports-details.php` and testing the `fromdate` and `todate` parameters for SQL injection flaws. Attackers may use Google dorking with the query `inurl:panel/bwdates-reports-details.php` to identify vulnerable targets. For detection on your system, you can attempt to send crafted HTTP requests to the vulnerable endpoint with SQL injection payloads in the `fromdate` and `todate` parameters and observe the responses for SQL errors or unexpected behavior. Example command using curl: `curl -i 'http://target/panel/bwdates-reports-details.php?fromdate=2025-06-01'` and then try injecting SQL payloads such as `' OR '1'='1` in these parameters to see if the system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected software with an alternative product, as no known countermeasures or patches have been documented. Additionally, restricting access to the vulnerable endpoint `/panel/bwdates-reports-details.php` through network controls or web application firewalls may help reduce exposure. Monitoring and blocking suspicious requests targeting the `fromdate` and `todate` parameters can also help mitigate exploitation attempts until a secure version or patch is available. [2]