CVE-2025-0881
Published: 30 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0881 is a critical SQL injection vulnerability in Codezips Gym Management System version 1.0. The issue affects an unknown function within the file /dashboard/admin/saveroutine.php, where manipulation of the 'rname' argument enables SQL injection. This flaw, associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), was published on 2025-01-30 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts including low-level disclosure of confidential information, modification of data, and denial of service, all within the unchanged scope of the application.
Advisories referenced in sources like VulDB and a GitHub issue (wizdzz/CVE #1) disclose a public exploit, indicating it may be actively used by attackers. No specific patches or mitigation steps are detailed in the available references.
The exploit's public disclosure heightens the risk for deployments of this gym management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/dashboard/admin/saveroutine.php) enables exploitation of public-facing application (T1190) and unauthorized access to/manipulation of database contents (T1213.006).