CVE-2025-0562
Published: 19 January 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-0562 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips Gym Management System 1.0. The flaw affects the processing of the file /dashboard/admin/health_status_entry.php, where manipulation of the usrid argument enables SQL injection. Published on 2025-01-19, it carries a CVSS v3.1 base score of 6.3.
The vulnerability is remotely exploitable over the network with low complexity and no user interaction required, but it demands low privileges (PR:L) from the attacker. Exploitation can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged scope.
Advisories and further details, including the public exploit disclosure, are documented in references such as https://github.com/LiuSir5211314/-sir/issues/1, https://vuldb.com/?ctiid.292523, https://vuldb.com/?id.292523, and https://vuldb.com/?submit.484184. The exploit has been made publicly available and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/dashboard/admin/health_status_entry.php) enables exploitation of public-facing applications (T1190), data collection from databases via arbitrary queries (T1213.006), and manipulation of stored data affecting CIA triad (T1565.001).