CVE-2025-1183
Published: 12 February 2025
Description
Adversaries may attempt to get a listing of local system accounts.
Security Summary
CVE-2025-1183 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting CodeZips Gym Management System version 1.0. The flaw resides in an unknown functionality of the file /dashboard/admin/more-userprofile.php, where manipulation of the login_id argument enables SQL injection. The vulnerability was published on 2025-02-12 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable by attackers possessing low privileges, such as authenticated users with basic access. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling partial unauthorized data access, modification of database content, or low-level denial of service.
Advisories detailing the issue are available via VulDB entries at https://vuldb.com/?ctiid.295087, https://vuldb.com/?id.295087, and https://vuldb.com/?submit.495410, along with additional information at https://www.yuque.com/polaris-pisym/aevk1q/fyu4dy8fglbs6rzy. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/dashboard/admin/more-userprofile.php) enables remote exploitation (T1190), arbitrary database queries for data collection (T1213.006), and enumeration of local accounts via user profile data (T1087.001).