CVE-2025-65135
manikandan580 · School-management-system
A time-based blind SQL injection vulnerability exists in the School-management-system 1.0 via the fromdate parameter in /studentms/admin/between-date-reprtsdetails.php.
Executive summary
A critical SQL injection vulnerability in the School-management-system 1.0 allows an attacker to extract sensitive database information via time-based inference.
Vulnerability
The application fails to properly sanitize the fromdate POST parameter within the administrative reporting module. This allows for time-based blind SQL injection, potentially accessible to attackers with administrative access.
Business impact
A CVSS score of 9.8 reflects the high risk of total database compromise. Successful exploitation could allow an attacker to dump sensitive student and administrative data, leading to severe privacy breaches and significant reputational damage to the educational institution.
Remediation
Immediate Action: Given that this appears to be a legacy or niche system, assess the feasibility of upgrading or applying custom input validation patches to the affected PHP script.
Proactive Monitoring: Monitor database query performance logs for anomalous delays or repetitive time-based patterns indicative of blind SQL injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to block SQL injection patterns in POST parameters targeting the /studentms/admin/ directory.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
The severity of this SQL injection vulnerability necessitates immediate attention. If a patch is unavailable from the developer, administrators should consider restricting access to the affected administrative reporting module or migrating to a more secure, maintained platform.