CVE-2025-0231
Published: 05 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0231 is a SQL injection vulnerability (CWE-74, CWE-89) in Codezips Gym Management System version 1.0, published on 2025-01-05. The issue resides in an unknown functionality of the file /dashboard/admin/submit_payments.php, where manipulation of the m_id argument triggers the injection. It has been classified as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by a low-privileged attacker (PR:L) with low attack complexity and no user interaction required. Successful exploitation can result in limited impacts: low confidentiality (C:L) allowing partial data disclosure, low integrity (I:L) enabling minor unauthorized modifications, and low availability (A:L) potentially causing partial denial of service.
Advisories and details are documented in references including a GitHub issue at https://github.com/gh464646/CVE/issues/1 and VulDB entries at https://vuldb.com/?ctiid.290227, https://vuldb.com/?id.290227, and https://vuldb.com/?submit.474596. The exploit has been publicly disclosed and may be used by attackers.
In notable context, the public availability of the exploit increases the risk for unpatched instances of the affected Gym Management System.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in unauthenticated public-facing web application (/dashboard/admin/submit_payments.php) enables exploitation of public-facing application (T1190) and unauthorized database access for data collection (T1213.006).