CVE-2025-5762 – A critical SQL injection vulnerability exists i... (How to Fix)

Q: What is the severity of CVE-2025-5762?

CVE-2025-5762 has a CVSS score of 6.3 (MEDIUM). A critical SQL injection vulnerability exists in code-projects Patient Record Management System 1.0, specifically in the view_hematology.php file's itr_no parameter. This allows remote attackers to execute arbitrary SQL commands on the database. All users running the vulnerable version are affected.

📋 TL;DR

A critical SQL injection vulnerability exists in code-projects Patient Record Management System 1.0, specifically in the view_hematology.php file's itr_no parameter. This allows remote attackers to execute arbitrary SQL commands on the database. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

code-projects Patient Record Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation with view_hematology.php accessible is vulnerable. The system must be internet-facing or accessible to attackers.

📦 What is this software?

Patient Record Management System by Code Projects

View all CVEs affecting Patient Record Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including patient record theft, data destruction, and potential system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive patient data, database manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or limited data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub repositories. SQL injection via itr_no parameter requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check code-projects.org for official patch. 2. If no patch, implement input validation and parameterized queries. 3. Replace vulnerable view_hematology.php file with secure version.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize itr_no parameter before processing

// In view_hematology.php, add: $itr_no = filter_var($_GET['itr_no'], FILTER_SANITIZE_NUMBER_INT);

Web Application Firewall Rule

all

Block SQL injection patterns targeting itr_no parameter

WAF rule: Block requests containing SQL keywords in itr_no parameter

🧯 If You Can't Patch

Implement network segmentation to restrict access to the vulnerable system
Deploy a web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Test view_hematology.php with SQL injection payloads in itr_no parameter (e.g., view_hematology.php?itr_no=1' OR '1'='1)

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Verify parameterized queries are used and input validation prevents SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts or parameter manipulation in access logs

Network Indicators:

HTTP requests with SQL keywords in itr_no parameter
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND (uri="*view_hematology.php*" AND (query="*itr_no=*'*" OR query="*itr_no=*%27*" OR query="*itr_no=* OR *" OR query="*itr_no=* UNION *"))

📊 Metadata

CVE ID: CVE-2025-5762

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: June 6, 2025

Last Updated: June 10, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/bazhahei123/CVE/blob/main/sql_cve_6_5.pdf Exploit,Third Party Advisory
https://vuldb.com/?ctiid.311304 Permissions Required
https://vuldb.com/?id.311304 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.590749 Third Party Advisory,VDB Entry
https://github.com/bazhahei123/CVE/blob/main/sql_cve_6_5.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5762, you might also want to check these: