CVE-2025-15390
📋 TL;DR
This vulnerability in PHPGurukul Small CRM 4.0 allows unauthorized access to the edit-user.php admin function, enabling attackers to modify user accounts without proper authentication. It affects all installations of Small CRM 4.0 that expose the admin interface. Attackers can exploit this remotely to manipulate user data and potentially escalate privileges.
💻 Affected Systems
- PHPGurukul Small CRM
📦 What is this software?
Small Crm by Phpgurukul
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative control over the CRM system, modify all user accounts, steal sensitive customer data, and potentially pivot to other systems.
Likely Case
Unauthorized modification of user accounts, privilege escalation to admin roles, and potential data exfiltration of customer information.
If Mitigated
Limited impact with proper network segmentation and access controls, but still exposes user management functions to unauthorized access.
🎯 Exploit Status
Exploit details are publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://phpgurukul.com/
Restart Required: No
Instructions:
No official patch available. Check vendor website for updates. Consider implementing workarounds or migrating to alternative software.
🔧 Temporary Workarounds
Restrict Access to Admin Directory
allBlock external access to the /admin directory using web server configuration or firewall rules.
# Apache: Add to .htaccess in admin directory
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: Add to server block
location /admin {
deny all;
allow 192.168.1.0/24;
}
Implement Authentication Proxy
allPlace the admin interface behind an additional authentication layer like HTTP basic auth or a reverse proxy with strong authentication.
# Apache basic auth example
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
🧯 If You Can't Patch
- Isolate the CRM system on a separate network segment with strict firewall rules limiting access to authorized IPs only.
- Implement web application firewall (WAF) rules to block requests to /admin/edit-user.php from unauthorized sources.
🔍 How to Verify
Check if Vulnerable:
Attempt to access /admin/edit-user.php without authentication. If accessible and allows user modification, the system is vulnerable.Check Version:
Check the CRM version in the admin dashboard or look for version information in the source code/composer files.Verify Fix Applied:
Verify that /admin/edit-user.php returns 403 Forbidden or requires proper authentication when accessed without credentials.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /admin/edit-user.php without corresponding authentication logs
- POST requests to edit-user.php from unexpected IP addresses
- Unusual user account modifications in application logs
Network Indicators:
- Unusual traffic patterns to admin endpoints
- Requests to edit-user.php from external IPs
SIEM Query:
source="web_server" AND (url="/admin/edit-user.php" OR url="/admin/edit-user") AND NOT (user="admin" OR auth_success="true")🔗 References
- https://github.com/rsecroot/Small-Customer-Relationship-Management-CRM-in-PHP/blob/main/Broken%20Access%20Control.md
- https://phpgurukul.com/
- https://vuldb.com/?ctiid.339151
- https://vuldb.com/?id.339151
- https://vuldb.com/?submit.727430
- https://github.com/rsecroot/Small-Customer-Relationship-Management-CRM-in-PHP/blob/main/Broken%20Access%20Control.md
