Login Sign Up

CVE-2025-6346

6.3 MEDIUM
SQL Injection

📋 TL;DR

This vulnerability allows remote attackers to execute SQL injection attacks against the Advance Charity Management System 1.0 by manipulating the 'm06' parameter in the /members/fundDetails.php file. Attackers can potentially access, modify, or delete database content. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • SourceCodester Advance Charity Management System
Versions: 1.0
Operating Systems: Any OS running PHP/MySQL web server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with the vulnerable file accessible via web interface.

📦 What is this software?

Advance Charity Management System by Aown Shah

View all CVEs affecting Advance Charity Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion, potentially leading to full system takeover if database privileges permit.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information from the charity management database.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub gist, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to filter SQL injection attempts

Modify /members/fundDetails.php to validate and sanitize the 'm06' parameter using prepared statements or parameterized queries

Web Application Firewall Rule

all

Block SQL injection patterns targeting the vulnerable endpoint

Add WAF rule to block requests containing SQL injection patterns to /members/fundDetails.php

🧯 If You Can't Patch

  • Restrict network access to the application using firewall rules
  • Implement database user privilege restrictions to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Test the /members/fundDetails.php endpoint with SQL injection payloads in the 'm06' parameter and observe database errors or unexpected behavior.

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test the same SQL injection attempts and verify they are properly rejected or sanitized without database errors.

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in web server logs
  • Unusual database queries from web application user

Network Indicators:

  • HTTP requests to /members/fundDetails.php with SQL keywords in parameters

SIEM Query:

source="web_server" AND uri="/members/fundDetails.php" AND (param="m06" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2025-6346
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (12th percentile)
Published: June 20, 2025
Last Updated: June 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6346, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)