CVE-2025-6860
BaseFortify
Publication date: 2025-06-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayurik | best_salon_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6860 is a critical SQL injection vulnerability in the Best Salon Management System version 1.0, specifically in the file /panel/staff_commision.php. It occurs due to improper handling of the 'fromdate' and 'todate' parameters, allowing an authenticated attacker to inject malicious SQL code. This can enable the attacker to steal sensitive information or damage the database. The vulnerability can be exploited remotely by logged-in users. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to remotely exploit the system through SQL injection, potentially compromising the confidentiality, integrity, and availability of your database. An attacker could steal sensitive information or cause damage to the database, leading to data breaches or service disruption. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/panel/staff_commision.php` and by testing the `fromdate` and `todate` parameters for SQL injection. One method to identify potentially vulnerable targets is using Google dorking with the query `inurl:panel/staff_commision.php`. For active testing, authenticated users can attempt to inject SQL code into these parameters to verify if the system is vulnerable. Specific commands depend on your environment, but a common approach is to use tools like curl or sqlmap with authentication to test the injection points. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable component by limiting authenticated user privileges, monitoring and blocking suspicious requests targeting `/panel/staff_commision.php` with `fromdate` and `todate` parameters, and applying input validation or sanitization if possible. Since no known mitigations or patches are documented, it is recommended to replace the affected component with an alternative product or remove the vulnerable functionality until a fix is available. [2]