CVE-2025-66947
Unknown Unknown - Not Provided

SQL Injection in krishanmuraiji SMS Admin Module Enables Data Compromise

Vulnerability report for CVE-2025-66947, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-26

Last updated on: 2025-12-26

Assigner: MITRE

Description

SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents. Successful exploitation may lead to full database compromise, especially within an administrative module.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-26
Last Modified
2025-12-26
Generated
2026-07-06
AI Q&A
2025-12-26
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
krishanmuraiji sms 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection in the krishanmuraiji SMS version 1.0, specifically in the /studentms/admin/edit-class-detail.php file via the editid GET parameter. An attacker can exploit this by using SQL SLEEP() commands to cause controlled delays, which allows them to infer the contents of the database. This means the attacker can extract information from the database by measuring response times.

Impact Analysis

The vulnerability can lead to a full database compromise, especially since it exists within an administrative module. This means an attacker could potentially access, modify, or delete sensitive data stored in the database, leading to data breaches and loss of data integrity.

Detection Guidance

This vulnerability can be detected by testing the /studentms/admin/edit-class-detail.php endpoint with the editid GET parameter for SQL injection, specifically by injecting SQL commands that cause controlled delays such as using the SQL SLEEP() function. For example, you can use curl or a browser to send requests like: curl 'http://target/studentms/admin/edit-class-detail.php?editid=1 AND SLEEP(5)' and observe if the response is delayed, indicating vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include validating and sanitizing all user inputs, especially the editid GET parameter, to prevent SQL injection. Use prepared statements or parameterized queries in the code to handle database queries safely. Additionally, restrict access to the administrative module and monitor for suspicious activity until a patch or update is applied. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart