CVE-2025-1959
Published: 04 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1959 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips Gym Management System 1.0, published on 2025-03-04. The issue resides in an unknown function within the file /change_s_pwd.php, where manipulation of the login_id and login_key arguments enables SQL injection.
Attackers can exploit this vulnerability remotely without authentication or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Unauthenticated remote attackers require only low attack complexity to inject malicious SQL payloads, potentially achieving limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or service disruption.
References, including VulDB entries (vuldb.com/?ctiid.298560, vuldb.com/?id.298560, vuldb.com/?submit.510782) and a GitHub repository (github.com/CContinueee/CVE/blob/main/CVE_1.md), confirm that the exploit has been publicly disclosed and may be used. No specific patches or mitigation steps are detailed in the available information.
The public disclosure of the exploit increases the risk of active exploitation against unpatched instances of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing PHP web application (/change_s_pwd.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505), and collection from databases via arbitrary queries (T1213.006).