A SQL Injection vulnerability has been discovered in 1000projects Beauty Parlour Management System version 1.0. This flaw allows attackers to manipulate SQL queries through the 'fromdate' and 'todate' parameters within the /admin/bwdates-reports-details.php file. Successful exploitation could lead to unauthorized data access and modification, impacting the confidentiality and integrity of the system. The vulnerability is fixed in version 1.0.1.
The SQL Injection vulnerability in Beauty Parlour Management System poses a significant risk to data security. An attacker could leverage this flaw to bypass authentication mechanisms, potentially gaining administrative access to the system. They could then extract sensitive customer data, including personal information, appointment details, and financial records. Furthermore, the attacker might be able to modify or delete data, disrupting business operations and potentially leading to regulatory compliance issues. The publicly available exploit increases the likelihood of exploitation.
This vulnerability is considered high risk due to its HIGH CVSS score and the availability of a public proof-of-concept. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a prime target for opportunistic attackers. The vulnerability was publicly disclosed on 2025-09-03, increasing the window of opportunity for exploitation.
Organizations utilizing Beauty Parlour Management System version 1.0, particularly those with sensitive customer data or limited security expertise, are at significant risk. Shared hosting environments where multiple clients share the same server instance are also particularly vulnerable, as a compromise of one client could potentially impact others.
• php / web:
curl -s -X POST "http://<target>/admin/bwdates-reports-details.php" -d "fromdate='; DROP TABLE users;--" | grep "error in your SQL syntax"• generic web:
curl -s -X POST "http://<target>/admin/bwdates-reports-details.php?todate='; SELECT version();--" | grep "MySQL version"disclosure
poc
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-9919 is to immediately upgrade Beauty Parlour Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out malicious SQL injection attempts targeting the /admin/bwdates-reports-details.php endpoint. Input validation and sanitization on the 'fromdate' and 'todate' parameters can also provide a temporary layer of defense. Monitor application logs for suspicious SQL queries and unusual database activity.
升级到软件的补丁版本。如果尚无补丁版本可用,建议联系供应商以获取解决方案,或应用安全措施,例如验证和清理 'fromdate' 和 'todate' 输入,以防止 SQL 注入。还可以实施 Web 应用防火墙 (WAF) 以检测和阻止利用尝试。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-9919 is a SQL Injection vulnerability affecting Beauty Parlour Management System version 1.0, allowing attackers to manipulate SQL queries and potentially access sensitive data.
If you are using Beauty Parlour Management System version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to Beauty Parlour Management System version 1.0.1 or later. Consider WAF rules as a temporary workaround.
While no active campaigns are confirmed, the public availability of a proof-of-concept increases the likelihood of exploitation.
Refer to the 1000projects website or relevant security mailing lists for the official advisory regarding CVE-2025-9919.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。