CRITICAL🇵🇱 Wersja polska

CVE-2025-45949

CVSS 9.8v3.1pub. 2025-04-28upd. 2026-07-05

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover.

🤖 AI Analysis
How it works

The vulnerability (CWE-384) results from improper session data management in the password change component, located in the /loginsystem/change-password.php file. An attacker can remotely, without authentication and without user interaction, abuse the session mechanism in such a way as to gain access to another user's session. This leads to full account takeover.

Impact

An attacker can hijack the account of any user in the system, gaining full access to their data and user panel functions. Due to the network vector and lack of requirements for permissions or victim interaction, the attack is particularly dangerous.

Mitigation & patch

Patches available from the vendor should be applied according to references. It is recommended to monitor the vendor's official repository (phpgurukul.com) to download the updated software version and implement secure session management mechanisms (including session identifier regeneration after password change).

Who is affected

PHPGurukul User Registration & Login and User Management System version V3.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Phpgurukul User Registration \& Login And User Management System

    APP
    Phpgurukul
    3.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-48283CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Phpgurukul User Management System 3.2 – parametr searchkey

CVE-2020-25952CRITICAL9.8ten sam produkt

SQL injection vulnerability in PHPGurukul User Registration & Login and User Management System With admin pane...

CVE-2024-48280HIGH7.6ten sam produkt

A SQL Injection vulnerability was found in /search-result.php of PHPGurukul User Registration & Login and User...

CVE-2024-48279HIGH7.6ten sam produkt

A HTML Injection vulnerability was found in /search-result.php of PHPGurukul User Registration & Login and Use...

CVE-2024-48282HIGH7.6ten sam produkt

A SQL Injection vulnerability was found in /password-recovery.php of PHPGurukul User Registration & Login and ...