CVE-2025-1854
Published: 03 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1854 is a critical SQL injection vulnerability affecting Codezips Gym Management System version 1.0. The flaw resides in an unknown function within the file /dashboard/admin/del_member.php, where manipulation of the "name" argument enables SQL injection. Published on 2025-03-03, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWEs-74 and CWE-89.
The vulnerability is remotely exploitable by attackers possessing low privileges, such as an authenticated user with access to the admin dashboard. Exploitation requires low complexity and no user interaction, potentially allowing limited impacts on confidentiality, integrity, and availability through arbitrary SQL query execution.
Advisories from VulDB (ctiid.298122, id.298122, submit.506053) and a GitHub repository (https://github.com/yhj09/CVE/blob/main/CVE_1.md) provide additional details, including the publicly disclosed exploit that may be used by attackers. No specific patch or mitigation guidance is detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing web application (/dashboard/admin/del_member.php) enables exploitation for initial access (T1190) and facilitates arbitrary queries for data collection from the backend database (T1213.006).