A critical vulnerability has been identified in the PuneethReddyHC event-management software, which allows an unauthenticated attacker to steal sensitive information directly from the application's database. The flaw exists in a product search feature and can be easily exploited over the internet to access confidential data, potentially leading to a significant data breach and system compromise. Due to the high severity and ease of exploitation, immediate remediation is strongly advised.

The application is vulnerable to SQL injection due to improper input handling in the /Grocery/search_products_itname.php script. An attacker can submit a specially crafted SQL payload via the sitem_name POST parameter when using the product search function. The application fails to sanitize this user-supplied input, incorporating it directly into a database query, which allows the attacker's malicious SQL code to be executed by the backend database. This can be used to alter the logic of SQL queries to bypass security mechanisms, exfiltrate the entire contents of the database, modify or delete data, and in some configurations, achieve remote code execution on the database server.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for significant business disruption and data loss. Successful exploitation could lead to a severe data breach, exposing sensitive customer information, user credentials, financial records, and other proprietary business data. Such an incident would likely result in substantial financial costs from regulatory fines (e.g., GDPR, CCPA), incident response efforts, and potential litigation. Furthermore, the reputational damage and loss of customer trust could have a lasting negative impact on the organization.

Immediate Action: Immediately update the PuneethReddyHC event-management software to the latest version provided by the vendor, which addresses this vulnerability. After patching, review web server and database access logs for any signs of exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: System administrators should actively monitor web server logs for suspicious POST requests to the /Grocery/search_products_itname.php endpoint. Specifically, look for payloads in the sitem_name parameter containing SQL syntax such as single quotes ('), comment characters (--, #), or keywords like UNION, SELECT, and SLEEP. Database logs should also be monitored for anomalous queries originating from the web application server.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a ruleset configured to detect and block SQL injection attacks against this specific parameter. Additionally, ensure the application's database user account operates with the principle of least privilege, restricting its permissions to only what is absolutely necessary for application functionality, which can limit the impact of a successful exploit.

Public Exploit Available: False (as of Dec 23, 2025)

Given the critical CVSS score of 9.8 and the direct risk of a major data breach, this vulnerability requires immediate attention. We strongly recommend that organizations identify all instances of the affected software and apply the vendor-supplied patch on an emergency basis. Although this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its severity and the ease of exploitation make it a prime target for future inclusion. Prioritizing this remediation is critical to protecting sensitive data and preventing a compromise of the backend infrastructure.