CVE-2025-10806
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | online_beauty_parlor_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10806 is an SQL Injection vulnerability in the Campcodes Online Beauty Parlor Management System version 1.0, specifically in the file /admin/bwdates-reports-details.php. It occurs because the fromdate and todate parameters are not properly sanitized, allowing an attacker to inject malicious SQL code. This can lead to unauthorized access or manipulation of the database by remotely exploiting the flaw. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely manipulate SQL queries in the affected system, potentially leading to unauthorized data access, data leakage, modification of data, or other database-related attacks. It compromises the confidentiality, integrity, and availability of the system's data and may result in significant security breaches. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/admin/bwdates-reports-details.php` and by testing the `fromdate` and `todate` parameters for SQL injection. One method is to use Google dorking with the query `inurl:admin/bwdates-reports-details.php` to identify potentially vulnerable targets. For direct testing, you can use curl or similar tools to send crafted requests with SQL injection payloads in the `fromdate` or `todate` parameters and observe if the system behaves unexpectedly or returns SQL errors. Example command: `curl -G 'http://targetsite/admin/bwdates-reports-details.php' --data-urlencode 'fromdate=2025-09-22' --data-urlencode 'todate=2025-09-22'` and then try injecting SQL payloads such as `' OR '1'='1` in these parameters to detect vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable `/admin/bwdates-reports-details.php` file, for example by IP whitelisting or authentication enforcement. Since no known mitigations or patches are currently available, it is recommended to replace or upgrade the affected product/component if possible. Additionally, monitoring and blocking suspicious requests targeting the `fromdate` and `todate` parameters can help reduce risk. Applying web application firewall (WAF) rules to detect and block SQL injection attempts targeting these parameters is also advised. [3]