Platform
php
Opgelost in
1.0.1
A SQL Injection vulnerability has been discovered in 1000projects Beauty Parlour Management System version 1.0. This flaw allows attackers to manipulate SQL queries through the 'fromdate' and 'todate' parameters within the /admin/bwdates-reports-details.php file. Successful exploitation could lead to unauthorized data access and modification, impacting the confidentiality and integrity of the system. The vulnerability is fixed in version 1.0.1.
The SQL Injection vulnerability in Beauty Parlour Management System poses a significant risk to data security. An attacker could leverage this flaw to bypass authentication mechanisms, potentially gaining administrative access to the system. They could then extract sensitive customer data, including personal information, appointment details, and financial records. Furthermore, the attacker might be able to modify or delete data, disrupting business operations and potentially leading to regulatory compliance issues. The publicly available exploit increases the likelihood of exploitation.
This vulnerability is considered high risk due to its HIGH CVSS score and the availability of a public proof-of-concept. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a prime target for opportunistic attackers. The vulnerability was publicly disclosed on 2025-09-03, increasing the window of opportunity for exploitation.
Organizations utilizing Beauty Parlour Management System version 1.0, particularly those with sensitive customer data or limited security expertise, are at significant risk. Shared hosting environments where multiple clients share the same server instance are also particularly vulnerable, as a compromise of one client could potentially impact others.
• php / web:
curl -s -X POST "http://<target>/admin/bwdates-reports-details.php" -d "fromdate='; DROP TABLE users;--" | grep "error in your SQL syntax"• generic web:
curl -s -X POST "http://<target>/admin/bwdates-reports-details.php?todate='; SELECT version();--" | grep "MySQL version"disclosure
poc
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-9919 is to immediately upgrade Beauty Parlour Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out malicious SQL injection attempts targeting the /admin/bwdates-reports-details.php endpoint. Input validation and sanitization on the 'fromdate' and 'todate' parameters can also provide a temporary layer of defense. Monitor application logs for suspicious SQL queries and unusual database activity.
Actualiseer naar een gepatchte versie van de software. Indien er geen gepatchte versie beschikbaar is, wordt aanbevolen contact op te nemen met de leverancier voor een oplossing of om beveiligingsmaatregelen toe te passen, zoals de validatie en sanitatie van de 'fromdate' en 'todate' invoer om (SQL Injection) te voorkomen. Ook kan een web application firewall (WAF) worden geïmplementeerd om pogingen tot exploitatie te detecteren en te blokkeren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-9919 is a SQL Injection vulnerability affecting Beauty Parlour Management System version 1.0, allowing attackers to manipulate SQL queries and potentially access sensitive data.
If you are using Beauty Parlour Management System version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to Beauty Parlour Management System version 1.0.1 or later. Consider WAF rules as a temporary workaround.
While no active campaigns are confirmed, the public availability of a proof-of-concept increases the likelihood of exploitation.
Refer to the 1000projects website or relevant security mailing lists for the official advisory regarding CVE-2025-9919.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.