CVE-2025-3147 in Boat Booking System
Summary
by MITRE • 04/03/2025
A vulnerability has been found in PHPGurukul Boat Booking System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-subadmin.php. The manipulation of the argument sadminusername leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2026
The vulnerability identified in PHPGurukul Boat Booking System version 1.0 represents a critical sql injection flaw that undermines the system's database security integrity. This vulnerability specifically targets the /add-subadmin.php file where user input validation is insufficient, allowing attackers to manipulate the sadminusername parameter. The weakness stems from improper sanitization of input data before database queries are executed, creating an avenue for malicious actors to inject arbitrary sql commands. The vulnerability's classification as critical reflects the potential for widespread data compromise and system infiltration that could result from successful exploitation.
The technical execution of this sql injection attack occurs through remote manipulation of the sadminusername argument within the add-subadmin.php script. When an attacker submits malicious input through this parameter, the application fails to properly escape or validate the data before incorporating it into sql query structures. This allows attackers to construct malicious sql statements that can bypass authentication mechanisms, extract sensitive information, modify database contents, or even execute administrative commands on the underlying database system. The remote exploitability means that attackers do not require physical access to the system and can leverage this vulnerability from any network location.
The operational impact of this vulnerability extends beyond simple data theft to encompass complete system compromise and unauthorized administrative access. Successful exploitation could enable attackers to gain persistent access to the boat booking system's administrative functions, potentially leading to service disruption, data manipulation, or unauthorized transaction processing. The disclosed exploit status significantly increases the risk profile as malicious actors can readily implement the attack without requiring specialized knowledge of the vulnerability's specific characteristics. Organizations relying on this system face substantial risk of unauthorized access to booking records, user credentials, and potentially financial transaction data.
Security mitigations for this vulnerability should prioritize immediate input validation and parameterized query implementation within the affected php script. The recommended approach involves implementing proper sql prepared statements that separate sql code from data inputs, ensuring that user-supplied sadminusername values cannot be interpreted as sql commands. Additionally, comprehensive input sanitization measures including character set validation and length restrictions should be enforced to prevent malicious payloads from being processed. Organizations should also consider implementing web application firewalls to detect and block sql injection attempts, while conducting thorough code reviews to identify similar vulnerabilities in other application components. This vulnerability aligns with CWE-89 sql injection weakness and represents a typical attack vector categorized under ATT&CK technique T1190 exploitation for credential access, emphasizing the need for robust database security measures and proper input validation protocols across all web application components.