CVE-2025-65135
Received Received - Intake
Time-Based Blind SQL Injection in School-management-system

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: MITRE

Description
In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65135
EUVD
EUVD-2025-209446
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
manikandan580 school_management_system 1.0
manikandan580 school-management-system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability has a critical impact with a CVSS v3.1 score of 9.8, affecting confidentiality, integrity, and availability.

  • Attackers can extract sensitive data such as student records, admin credentials, and personally identifiable information (PII).
  • They can manipulate or delete database records, compromising data integrity.
  • Attackers can cause denial of service by exploiting the `SLEEP()` function to delay or disrupt normal database operations.

The vulnerability requires remote network access and may require authentication since it is located in the admin panel.

Executive Summary

CVE-2025-65135 is a critical time-based blind SQL injection vulnerability found in version 1.0 of the School Management System by manikandan580. It exists in the admin reporting endpoint `/studentms/admin/between-date-reprtsdetails.php`, specifically in the `fromdate` POST parameter.

The vulnerability occurs because the `fromdate` parameter is directly embedded into an SQL query without any sanitization or parameterization, allowing attackers to inject SQL payloads that cause the database to delay responses using the `SLEEP()` function.

By measuring these delays, attackers can enumerate the entire database bit-by-bit through timing side-channel attacks, potentially extracting sensitive information.

The root cause is the lack of server-side validation and the direct interpolation of user input into SQL queries.

Detection Guidance

This vulnerability can be detected by testing the /studentms/admin/between-date-reprtsdetails.php endpoint with specially crafted POST requests targeting the fromdate parameter.

Since it is a time-based blind SQL injection, detection involves injecting payloads that cause measurable delays in server response times, such as using the SQL SLEEP() function.

For example, you can send POST requests with fromdate values containing nested SELECT(SLEEP(N)) calls and observe if the response time increases accordingly, indicating the presence of the vulnerability.

Commands using curl to test might look like this:

  • curl -X POST -d "fromdate=2026-01-01' AND (SELECT IF(SLEEP(5),1,0))-- -" https://target-domain/studentms/admin/between-date-reprtsdetails.php
  • Measure the response time; a delay of about 5 seconds suggests the injection is successful.

Automated tools that support time-based blind SQL injection detection can also be used to confirm the vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Implement parameterized queries using PDO or MySQLi prepared statements to handle the fromdate input safely.
  • Enforce strict server-side validation of the fromdate parameter to ensure it matches the expected YYYY-MM-DD format, rejecting invalid inputs with HTTP 400 errors.
  • Disable verbose SQL error messages in production to avoid leaking database information.
  • Restrict database user privileges to the minimum necessary, removing permissions such as FILE, SUPER, and DROP.
  • Configure MySQL settings like max_execution_time and wait_timeout to limit query execution time and reduce the window for timing attacks.
  • Deploy a Web Application Firewall (WAF) with SQL injection detection rules as an additional layer of defense.
Compliance Impact

This critical SQL injection vulnerability allows attackers to extract sensitive data such as student records, admin credentials, and personally identifiable information (PII). Exposure or unauthorized access to such data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

The ability to manipulate or delete database records and cause denial of service further increases the risk of data integrity and availability issues, which are also key compliance requirements under these standards.

Therefore, exploitation of this vulnerability can result in violations of confidentiality, integrity, and availability principles required by common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart