CVE-2025-5359 – A critical SQL injection vulnerability in Campc... (How to Fix)

Q: What is the severity of CVE-2025-5359?

CVE-2025-5359 has a CVSS score of 7.3 (HIGH). A critical SQL injection vulnerability in Campcodes Online Hospital Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in /appointment-history.php. This affects all installations of version 1.0, potentially compromising sensitive patient and hospital data.

📋 TL;DR

A critical SQL injection vulnerability in Campcodes Online Hospital Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in /appointment-history.php. This affects all installations of version 1.0, potentially compromising sensitive patient and hospital data.

💻 Affected Systems

Products:

Campcodes Online Hospital Management System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The vulnerability is in the core application code.

📦 What is this software?

Online Hospital Management System by Campcodes

View all CVEs affecting Online Hospital Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive patient records, appointment data, and potentially administrative credentials stored in the database.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules block malicious SQL payloads.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects a web application component.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but external exposure is more concerning.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. SQL injection vulnerabilities are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries or input validation as temporary mitigation.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns targeting the ID parameter.

Depends on specific WAF platform

Input Validation Filter

all

Add server-side validation to ensure ID parameter contains only numeric values.

Modify /appointment-history.php to validate $_GET['ID'] with is_numeric() or similar

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test the /appointment-history.php endpoint with SQL injection payloads like ' OR '1'='1 in the ID parameter.

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error messages or sanitized responses.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple requests to /appointment-history.php with suspicious ID parameters

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in URL parameters

SIEM Query:

source="web_logs" AND url="/appointment-history.php" AND (id="*'*" OR id="*SELECT*" OR id="*UNION*")

📊 Metadata

CVE ID: CVE-2025-5359

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: May 30, 2025

Last Updated: June 10, 2025

🔗 References

https://github.com/ASantsSec/CVE/issues/7 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.310653 Permissions Required,VDB Entry
https://vuldb.com/?id.310653 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.586590 Third Party Advisory,VDB Entry
https://www.campcodes.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5359, you might also want to check these: