CVE-2025-0541

MediumPublic PoC

Published: 17 January 2025

Published

17 January 2025

Modified

25 February 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0015 35.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-0541 is a SQL injection vulnerability affecting Codezips Gym Management System version 1.0. The flaw occurs in the processing of the file /dashboard/admin/edit_member.php, where manipulation of the "name" argument enables SQL injection. Published on 2025-01-17, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-74 and CWE-89. Other parameters may also be vulnerable.

An attacker with low privileges can exploit this remotely by injecting malicious SQL via the "name" parameter during member editing operations. Successful exploitation allows limited impacts: low confidentiality (e.g., partial data exposure), integrity (e.g., minor data alteration), and availability (e.g., minor service disruption) within the application's database.

References, including VulDB entries (ctiid.292433, id.292433, submit.480220) and a GitHub issue (nbeisss/CVE/issues/1), indicate the exploit has been publicly disclosed and may be used. No patches or specific mitigation guidance are mentioned in the available details.

Details

CWE(s): CWE-74CWE-89

Affected Products

codezips

gym management system

1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection vulnerability allows remote exploitation of a public-facing web application (T1190), abuse of server software components via injected SQL queries (T1505), and collection of database contents using union-based, error-based, or blind techniques (T1213.006).

References

https://github.com/nbeisss/CVE/issues/1
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.292433
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.292433
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.480220
Third Party Advisory, VDB Entry · cna@vuldb.com