CVE-2025-15390
Authorization Bypass in PHPGurukul Small CRM /admin/edit-user.php
Publication date: 2025-12-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | small_crm | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authorization flaw in PHPGurukul Small CRM version 4.0, specifically in the /admin/edit-user.php file. The system fails to properly verify user roles before granting access to administrative functions. Although it checks if a user is authenticated, it does not confirm if the user has the necessary privileges. As a result, any authenticated user can access administrative pages and perform actions reserved for administrators, leading to privilege escalation and unauthorized control over the system. [1, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker with low-level user credentials to escalate their privileges to administrator level. They can access and modify sensitive user data, change user information, and potentially take full control of the system. This can lead to data breaches, unauthorized data manipulation, and complete system compromise. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized access to administrative URLs such as /admin/edit-user.php without proper role verification. One method is to use Google dorking with the query "inurl:admin/edit-user.php" to identify potentially vulnerable targets. Additionally, monitoring web server logs for access attempts to /admin/edit-user.php by low-privileged users may help detect exploitation attempts. Specific commands could include using curl or wget to test access, for example: curl -i http://targetsite.com/admin/edit-user.php to see if access is granted without proper authorization. [3, 1]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations currently exist for this vulnerability. It is suggested to replace the affected product with an alternative CRM system. Until a patch or fix is available, restricting access to the /admin/edit-user.php file via network controls or web server configuration (e.g., IP whitelisting or authentication enforcement) may reduce risk, but no official vendor guidance is available. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to escalate privileges and gain full administrative access to sensitive user data, which compromises confidentiality, integrity, and availability of the system. Such unauthorized access and potential data modification can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by exposing sensitive data to unauthorized parties. [1, 3]