{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-40689","assignerOrgId":"0cbda920-cd7f-484a-8e76-bf7f4b7f4516","state":"PUBLISHED","assignerShortName":"INCIBE","dateReserved":"2025-04-16T08:38:17.111Z","datePublished":"2025-09-11T11:21:04.508Z","dateUpdated":"2025-09-11T14:35:47.496Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Online Fire Reporting System","vendor":"PHPGurukul","versions":[{"status":"affected","version":"1.2"}]}],"credits":[{"lang":"en","type":"finder","value":"Rafael Pedrero"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via&nbsp;\n\n<span style=\"background-color: rgb(255, 255, 255);\">'</span><em>remark</em><span style=\"background-color: rgb(255, 255, 255);\">', '</span><em>status</em><span style=\"background-color: rgb(255, 255, 255);\">' and '</span><em>requestid</em><span style=\"background-color: rgb(255, 255, 255);\">' parameters in the endpoint '</span><em>/ofrs/admin/request-details.php</em><span style=\"background-color: rgb(255, 255, 255);\">'.</span>\n\n<br></div>"}],"value":"SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via \n\n'remark', 'status' and 'requestid' parameters in the endpoint '/ofrs/admin/request-details.php'."}],"impacts":[{"capecId":"CAPEC-66","descriptions":[{"lang":"en","value":"CAPEC-66 SQL Injection"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"0cbda920-cd7f-484a-8e76-bf7f4b7f4516","shortName":"INCIBE","dateUpdated":"2025-09-11T11:21:04.508Z"},"references":[{"url":"https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpgurukuls-online-fire-reporting-system"}],"source":{"discovery":"UNKNOWN"},"title":"SQL injection in PHPGurukul Online Fire Reporting System","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-11T13:28:45.938215Z","id":"CVE-2025-40689","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-11T14:35:47.496Z"}}]}}