Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in PHPGurukul's Online Fire Reporting System

Posted date 11/09/2025
Identificador
INCIBE-2025-0492
Importance
5 - Critical
Affected Resources
  • Online Fire Reporting System, 1.2 version.
Description

INCIBE has coordinated the publication of 10 vulnerabilities, 6 critical and 4 medium severity, affecting PHPGurukul's Online Fire Reporting System. The vulnerabilities were discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • from CVE-2025-40687 to CVE-2025-40692: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • from CVE-2025-40693 to CVE-2025-40696: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

No solution has been reported at this time.

Detail
  • SQL injection vulnerability in PHPGurukul's Online Fire Reporting System v1.2. This vulnerability could allow an attacker to retrieve, create, update, and delete databases. The relationship between parameters and assigned identifiers is as follows:
    • CVE-2025-40687: parameters 'location', 'message' and 'mobilenumber' in '/ofrs/reporting.php'.
    • CVE-2025-40688: parameters 'mobilenumber', 'teamleadname' and 'teammember' in '/ofrs/admin/add-team.php'.
    • CVE-2025-40689:  parameters 'remark', 'status' and 'requestid' in '/ofrs/admin/request-details.php'.
    • CVE-2025-40690:  parameter 'teamid' in '/ofrs/admin/edit-team.php'.
    • CVE-2025-40691:  parameter 'todate' in '/ofrs/admin/bwdates-report-result.php'.
    • CVE-2025-40692:  parameter 'requestid' in '/ofrs/details.php'.
  • Stored Cross Site Scripting vulnerability in Online Fire Reporting System v1.2, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal its cookie session details. The relationship between parameters and assigned identifiers is as follows:
    • CVE-2025-40693: parameters 'tname', 'teamleadname', 'teammember' and 'teamname' in '/ofrs/admin/edit-team.php'.
    • CVE-2025-40694: parameters 'fromdate' and 'todate' in '/ofrs/admin/bwdates-report-result.php'.
    • CVE-2025-40695: parameters 'remark', 'status' and 'takeaction' in '/ofrs/admin/request-details.php'.
    • CVE-2025-40696: parameters 'fullname', 'location' and 'message' in '/ofrs/reporting.php'.
CVE
Explotación
No
References list
Online Fire Reporting System
Etiquetas