Multiple vulnerabilities in PHPGurukul's Online Fire Reporting System
Posted date 11/09/2025
Identificador
INCIBE-2025-0492
Importance
5 - Critical
Affected Resources
- Online Fire Reporting System, 1.2 version.
Description
INCIBE has coordinated the publication of 10 vulnerabilities, 6 critical and 4 medium severity, affecting PHPGurukul's Online Fire Reporting System. The vulnerabilities were discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- from CVE-2025-40687 to CVE-2025-40692: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- from CVE-2025-40693 to CVE-2025-40696: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
No solution has been reported at this time.
Detail
- SQL injection vulnerability in PHPGurukul's Online Fire Reporting System v1.2. This vulnerability could allow an attacker to retrieve, create, update, and delete databases. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-40687: parameters 'location', 'message' and 'mobilenumber' in '/ofrs/reporting.php'.
- CVE-2025-40688: parameters 'mobilenumber', 'teamleadname' and 'teammember' in '/ofrs/admin/add-team.php'.
- CVE-2025-40689: parameters 'remark', 'status' and 'requestid' in '/ofrs/admin/request-details.php'.
- CVE-2025-40690: parameter 'teamid' in '/ofrs/admin/edit-team.php'.
- CVE-2025-40691: parameter 'todate' in '/ofrs/admin/bwdates-report-result.php'.
- CVE-2025-40692: parameter 'requestid' in '/ofrs/details.php'.
- Stored Cross Site Scripting vulnerability in Online Fire Reporting System v1.2, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal its cookie session details. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-40693: parameters 'tname', 'teamleadname', 'teammember' and 'teamname' in '/ofrs/admin/edit-team.php'.
- CVE-2025-40694: parameters 'fromdate' and 'todate' in '/ofrs/admin/bwdates-report-result.php'.
- CVE-2025-40695: parameters 'remark', 'status' and 'takeaction' in '/ofrs/admin/request-details.php'.
- CVE-2025-40696: parameters 'fullname', 'location' and 'message' in '/ofrs/reporting.php'.
CVE
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40687
Severidad
Crítica
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40688
Severidad
Crítica
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40689
Severidad
Crítica
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40690
Severidad
Crítica
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40691
Severidad
Crítica
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40692
Severidad
Crítica
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40693
Severidad
Media
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40694
Severidad
Media
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40695
Severidad
Media
Explotación
No
Nuevo Fabricante
PHPGurukul
Identificador CVE
CVE-2025-40695
Severidad
Media
References list
Etiquetas