CVE-2025-6879
BaseFortify
Publication date: 2025-06-30
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayurik | best_salon_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6879 is a critical SQL injection vulnerability in the Best Salon Management System version 1.0, specifically in the file /panel/add-tax.php. It occurs due to improper handling of the 'Name' parameter, allowing an attacker to inject malicious SQL code. This flaw can be exploited remotely and easily, potentially by any attacker without authentication, enabling them to manipulate the database, steal sensitive information, or cause damage. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of your system. An attacker exploiting this SQL injection flaw can steal sensitive data, alter or delete database information, and disrupt normal operations of the application. Since the exploit is easy and publicly available, it increases the risk of unauthorized access and damage to your system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/panel/add-tax.php` on your system or web server. Additionally, you can use Google Dorking with the query `inurl:panel/add-tax.php` to identify potentially vulnerable targets. Since the vulnerability involves SQL injection via the `Name` parameter, you can test this parameter for SQL injection using tools like sqlmap or manual injection attempts. Example command using sqlmap: `sqlmap -u "http://target/panel/add-tax.php" --data="Name=test" --risk=3 --level=5` to test for SQL injection in the POST data. Note that the exploit requires authentication, so testing should be done with valid credentials. [2, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable `/panel/add-tax.php` file, especially limiting authenticated user permissions to prevent exploitation. Since no known mitigations or patches are available, it is recommended to replace the affected component or product with a secure alternative. Additionally, monitor and block suspicious SQL injection attempts at the web application firewall or network level. Applying input validation and parameterized queries in the application code would be a long-term fix, but immediate replacement or access control is advised. [2]