CVE-2025-65135
Time-Based Blind SQL Injection in School-management-system
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| manikandan580 | school_management_system | 1.0 |
| manikandan580 | school-management-system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /studentms/admin/between-date-reprtsdetails.php endpoint with specially crafted POST requests targeting the fromdate parameter.
Since it is a time-based blind SQL injection, detection involves injecting payloads that cause measurable delays in server response times, such as using the SQL SLEEP() function.
For example, you can send POST requests with fromdate values containing nested SELECT(SLEEP(N)) calls and observe if the response time increases accordingly, indicating the presence of the vulnerability.
Commands using curl to test might look like this:
- curl -X POST -d "fromdate=2026-01-01' AND (SELECT IF(SLEEP(5),1,0))-- -" https://target-domain/studentms/admin/between-date-reprtsdetails.php
- Measure the response time; a delay of about 5 seconds suggests the injection is successful.
Automated tools that support time-based blind SQL injection detection can also be used to confirm the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement parameterized queries using PDO or MySQLi prepared statements to handle the fromdate input safely.
- Enforce strict server-side validation of the fromdate parameter to ensure it matches the expected YYYY-MM-DD format, rejecting invalid inputs with HTTP 400 errors.
- Disable verbose SQL error messages in production to avoid leaking database information.
- Restrict database user privileges to the minimum necessary, removing permissions such as FILE, SUPER, and DROP.
- Configure MySQL settings like max_execution_time and wait_timeout to limit query execution time and reduce the window for timing attacks.
- Deploy a Web Application Firewall (WAF) with SQL injection detection rules as an additional layer of defense.
How can this vulnerability impact me? :
This vulnerability has a critical impact with a CVSS v3.1 score of 9.8, affecting confidentiality, integrity, and availability.
- Attackers can extract sensitive data such as student records, admin credentials, and personally identifiable information (PII).
- They can manipulate or delete database records, compromising data integrity.
- Attackers can cause denial of service by exploiting the `SLEEP()` function to delay or disrupt normal database operations.
The vulnerability requires remote network access and may require authentication since it is located in the admin panel.
Can you explain this vulnerability to me?
CVE-2025-65135 is a critical time-based blind SQL injection vulnerability found in version 1.0 of the School Management System by manikandan580. It exists in the admin reporting endpoint `/studentms/admin/between-date-reprtsdetails.php`, specifically in the `fromdate` POST parameter.
The vulnerability occurs because the `fromdate` parameter is directly embedded into an SQL query without any sanitization or parameterization, allowing attackers to inject SQL payloads that cause the database to delay responses using the `SLEEP()` function.
By measuring these delays, attackers can enumerate the entire database bit-by-bit through timing side-channel attacks, potentially extracting sensitive information.
The root cause is the lack of server-side validation and the direct interpolation of user input into SQL queries.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This critical SQL injection vulnerability allows attackers to extract sensitive data such as student records, admin credentials, and personally identifiable information (PII). Exposure or unauthorized access to such data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.
The ability to manipulate or delete database records and cause denial of service further increases the risk of data integrity and availability issues, which are also key compliance requirements under these standards.
Therefore, exploitation of this vulnerability can result in violations of confidentiality, integrity, and availability principles required by common standards and regulations.