CVE-2025-5675 – This critical SQL injection vulnerability in Ca... (How to Fix)

Q: What is the severity of CVE-2025-5675?

CVE-2025-5675 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in Campcodes Online Teacher Record Management System 1.0 allows attackers to execute arbitrary SQL commands through the fromdate/todate parameters in the /trms/admin/bwdates-reports-details.php file. Remote attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.

📋 TL;DR

This critical SQL injection vulnerability in Campcodes Online Teacher Record Management System 1.0 allows attackers to execute arbitrary SQL commands through the fromdate/todate parameters in the /trms/admin/bwdates-reports-details.php file. Remote attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Campcodes Online Teacher Record Management System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the admin interface to be accessible and the vulnerable PHP file to be present

📦 What is this software?

Online Teacher Record Management System by Campcodes

View all CVEs affecting Online Teacher Record Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized data access, privilege escalation, or data manipulation in the teacher record database

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to specific tables

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects web-accessible admin functionality

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this if they have network access to the system

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily weaponizable by attackers with basic SQL injection knowledge

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries or input validation as described in workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation for fromdate and todate parameters to only accept expected date formats

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint

🧯 If You Can't Patch

Restrict network access to the admin interface using firewall rules or VPN
Implement database user with minimal necessary permissions to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check if /trms/admin/bwdates-reports-details.php exists and test with SQL injection payloads in fromdate/todate parameters

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Test the vulnerable endpoint with SQL injection payloads to confirm they are properly rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple failed login attempts followed by SQL injection patterns
Unexpected database queries from web application user

Network Indicators:

HTTP requests to /trms/admin/bwdates-reports-details.php containing SQL keywords like UNION, SELECT, INSERT

SIEM Query:

source="web_server_logs" AND (uri="/trms/admin/bwdates-reports-details.php" AND (request CONTAINS "UNION" OR request CONTAINS "SELECT" OR request CONTAINS "INSERT"))

📊 Metadata

CVE ID: CVE-2025-5675

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (13.8th percentile)

Published: June 5, 2025

Last Updated: June 10, 2025

🔗 References

https://github.com/modestHonK/cve/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.311163 Permissions Required,VDB Entry
https://vuldb.com/?id.311163 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.590124 Third Party Advisory,VDB Entry
https://www.campcodes.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5675, you might also want to check these: