プラットフォーム
php
修正版
1.0.1
A SQL Injection vulnerability has been discovered in 1000projects Beauty Parlour Management System version 1.0. This flaw allows attackers to manipulate SQL queries through the 'fromdate' and 'todate' parameters within the /admin/bwdates-reports-details.php file. Successful exploitation could lead to unauthorized data access and modification, impacting the confidentiality and integrity of the system. The vulnerability is fixed in version 1.0.1.
The SQL Injection vulnerability in Beauty Parlour Management System poses a significant risk to data security. An attacker could leverage this flaw to bypass authentication mechanisms, potentially gaining administrative access to the system. They could then extract sensitive customer data, including personal information, appointment details, and financial records. Furthermore, the attacker might be able to modify or delete data, disrupting business operations and potentially leading to regulatory compliance issues. The publicly available exploit increases the likelihood of exploitation.
This vulnerability is considered high risk due to its HIGH CVSS score and the availability of a public proof-of-concept. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a prime target for opportunistic attackers. The vulnerability was publicly disclosed on 2025-09-03, increasing the window of opportunity for exploitation.
Organizations utilizing Beauty Parlour Management System version 1.0, particularly those with sensitive customer data or limited security expertise, are at significant risk. Shared hosting environments where multiple clients share the same server instance are also particularly vulnerable, as a compromise of one client could potentially impact others.
• php / web:
curl -s -X POST "http://<target>/admin/bwdates-reports-details.php" -d "fromdate='; DROP TABLE users;--" | grep "error in your SQL syntax"• generic web:
curl -s -X POST "http://<target>/admin/bwdates-reports-details.php?todate='; SELECT version();--" | grep "MySQL version"disclosure
poc
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-9919 is to immediately upgrade Beauty Parlour Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out malicious SQL injection attempts targeting the /admin/bwdates-reports-details.php endpoint. Input validation and sanitization on the 'fromdate' and 'todate' parameters can also provide a temporary layer of defense. Monitor application logs for suspicious SQL queries and unusual database activity.
パッチが適用されたソフトウェアのバージョンにアップデートしてください。パッチが適用されたバージョンが利用できない場合は、ベンダーに連絡して解決策を入手するか、'fromdate' および 'todate' 入力の検証とサニタイズなどのセキュリティ対策を適用して SQLインジェクションを防止することを推奨します。また、Webアプリケーションファイアウォール (WAF) を実装して、悪用の試行を検出およびブロックすることができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-9919 is a SQL Injection vulnerability affecting Beauty Parlour Management System version 1.0, allowing attackers to manipulate SQL queries and potentially access sensitive data.
If you are using Beauty Parlour Management System version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to Beauty Parlour Management System version 1.0.1 or later. Consider WAF rules as a temporary workaround.
While no active campaigns are confirmed, the public availability of a proof-of-concept increases the likelihood of exploitation.
Refer to the 1000projects website or relevant security mailing lists for the official advisory regarding CVE-2025-9919.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。