Key Information Vulnerability Overview Vulnerability Type: SQL Injection Affected File: normal-bwdates-reports-details.php CVE ID: CVE-2025-56075 Affected Product Details Product Name: Park Ticketing Management System Using PHP and MySQL Vendor: PHPCurialu Affected Code File: normal-bwdates-reports-details.php Affected Parameter: fromdate Method: POST Type: Time-based Blind SQL Injection Version: v2.0 Official Website: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/ Reproduction Steps 1. Log in to the admin panel. 2. Navigate to the Reports section and select "Normal People Report". 3. Intercept the request and locate the problematic parameter . 4. Confirm the vulnerability: - Send a modified request and observe a 10-second delay in the response to confirm time-based blind SQL injection. - Inject the following payload into the parameter: Impact Data Theft: Unauthorized access to server database data. Data Manipulation: Alteration or deletion of critical data. Enumeration: Enumeration of database structure for further attacks. Financial Loss: Potential economic loss due to service disruption. Reputation Damage: Loss of user trust due to failures or downtime. Recommended Mitigation Measures 1. Input Validation: Sanitize and validate all inputs. 2. Prepared Statements: Use parameterized queries to prevent SQL injection. 3. Output Encoding: Encode data before rendering in the application. 4. Content Security Policy (CSP): Implement CSP to mitigate HTML injection risks.