CVE-2025-65358 – CVE-2025-65358 is a SQL injection vulnerability... (How to Fix)

📋 TL;DR

CVE-2025-65358 is a SQL injection vulnerability in Edoc Doctor Appointment System v1.0.1 that allows attackers to execute arbitrary SQL commands via the 'docid' parameter in the admin appointment interface. This affects all deployments using the vulnerable version, potentially compromising the entire database.

💻 Affected Systems

Products:

Edoc Doctor Appointment System

Versions: v1.0.1

Operating Systems: Any OS running PHP with MySQL/MariaDB

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin access to reach /admin/appointment.php endpoint

📦 What is this software?

Edoc Doctor Appointment System by Hashenudara

View all CVEs affecting Edoc Doctor Appointment System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive patient/doctor data, appointment manipulation, and potential privilege escalation to admin accounts.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place, potentially only causing errors without data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin authentication but SQL injection is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

1. Review the GitHub repository for updates
2. If no patch available, implement parameterized queries in /admin/appointment.php
3. Validate and sanitize all user inputs, especially the 'docid' parameter

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to ensure 'docid' parameter contains only numeric values

Modify /admin/appointment.php to include: if(!is_numeric($_GET['docid'])) { die('Invalid input'); }

Web Application Firewall (WAF) Rules

all

Block SQL injection patterns in the 'docid' parameter

Add WAF rule: SecRule ARGS:docid "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Restrict access to /admin/appointment.php using IP whitelisting or additional authentication
Implement database user with minimal privileges (read-only where possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test the 'docid' parameter with SQL injection payloads like: /admin/appointment.php?docid=1' OR '1'='1

Check Version:

Check the software version in the application's admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer work and return proper error messages or are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by SQL errors
Requests to /admin/appointment.php with suspicious 'docid' values

Network Indicators:

HTTP requests containing SQL keywords in 'docid' parameter
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/appointment.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR '1'='1*")

📊 Metadata

CVE ID: CVE-2025-65358

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: December 2, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/HashenUdara/edoc-doctor-appointment-system Product
https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-65358 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65358, you might also want to check these: