CVE-2025-1380
Published: 17 February 2025
Description
A vulnerability was found in Codezips Gym Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /dashboard/admin/del_plan.php. The manipulation of the argument name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-1380 is a critical SQL injection vulnerability in Codezips Gym Management System 1.0, affecting an unknown functionality in the file /dashboard/admin/del_plan.php. The issue arises from manipulation of the 'name' argument, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low-privilege remote access potential.
An attacker with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low complexity and no user interaction required. Successful exploitation enables SQL injection, potentially allowing limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as unauthorized data access, modification, or disruption within the application's database.
Advisories and further details, including potential mitigation guidance, are available in references such as VulDB entries (https://vuldb.com/?ctiid.295988, https://vuldb.com/?id.295988, https://vuldb.com/?submit.501980) and Yuque pages (https://www.yuque.com/polaris-pisym/aevk1q/fdkeqw2a2ug9zohn). The exploit has been publicly disclosed and may be in use.
Details
- CWE(s)