CVE-2025-1188
Published: 12 February 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1188 is a critical SQL injection vulnerability in Codezips Gym Management System 1.0. The issue resides in an unknown functionality of the file /dashboard/admin/updateroutine.php, where manipulation of the 'tid' argument triggers the injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users with basic access. Exploitation requires network connectivity and low complexity, with no user interaction necessary. Successful attacks can result in limited impacts to confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption within the application's database.
Advisories referenced in VulDB entries (ctiid.295094, id.295094, submit.496409) and a GitHub repository document the issue, with the exploit publicly disclosed and available for use. No specific patches or mitigation steps are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/dashboard/admin/updateroutine.php) enables exploitation of public-facing applications (T1190), collection from databases via arbitrary SQL queries (T1213.006), and abuse of server software components (T1505 as assigned by VulDB).