CVE-2025-0803

HighPublic PoC

Published: 29 January 2025

Published

29 January 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0006 17.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability, which was classified as critical, has been found in Codezips Gym Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/admin/submit_plan_new.php. The manipulation of the argument planid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Security Summary

CVE-2025-0803 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips Gym Management System version 1.0. The flaw resides in an unknown functionality of the file /dashboard/admin/submit_plan_new.php, where manipulation of the planid argument triggers the injection.

Remote attackers require no privileges or user interaction to exploit this vulnerability, which has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables limited impacts on confidentiality, integrity, and availability through arbitrary SQL query execution.

VulDB advisories (ctiid.293924, id.293924, submit.485218) document the issue, and a proof-of-concept exploit has been publicly disclosed in a GitHub repository (alc9700jmo/CVE/issues/8), increasing the risk of widespread abuse. No patch details are specified in the available references.

Details

CWE(s): CWE-74CWE-89

Affected Products

gymmanagementsystem

gym management system

1.0

References

https://github.com/alc9700jmo/CVE/issues/8
Exploit · cna@vuldb.com
https://vuldb.com/?ctiid.293924
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.293924
Third Party Advisory · cna@vuldb.com
https://vuldb.com/?submit.485218
Third Party Advisory · cna@vuldb.com