CodeAstro Gym Management System CVE-2025-11588
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in CodeAstro Gym Management System 1.0. This impacts an unknown function of the file /customer/index.php. Such manipulation of the argument fullname leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in CodeAstro Gym Management System 1.0 via the fullname parameter in /customer/index.php allows authenticated remote attackers to execute arbitrary SQL queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the EPSS score of 0.03% (8th percentile) suggests minimal real-world exploitation despite public POC availability, likely due to authentication requirement and narrow deployment scope of this niche management application.
Technical ContextAI
The vulnerability is a classic SQL injection (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) occurring in a PHP-based web application. The fullname parameter in the customer management module (/customer/index.php) fails to properly sanitize or parameterize user input before inclusion in SQL queries. CVSS vector AV:N/AC:L indicates network-accessible vulnerability with low attack complexity, but PR:L (privilege level: low) mandates prior authentication, reducing attack surface. The CWE-74 classification confirms unsafe dynamic SQL construction without prepared statements or input validation.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires applying input validation and parameterized queries to the fullname parameter in /customer/index.php. Recommended compensating controls: (1) Implement parameterized prepared statements (e.g., using PDO or mysqli prepared statements in PHP) for all SQL queries handling the fullname parameter - this eliminates SQL injection regardless of input content but requires code modification; (2) Apply strict input validation on fullname to alphanumeric characters and spaces only, rejecting SQL metacharacters (single quotes, semicolons, dashes, parentheses) - this is less robust than parameterization but can reduce attack surface if parameterization is blocked by legacy architecture; (3) Restrict database user permissions for the application account to SELECT/INSERT/UPDATE only on required tables, denying CREATE/DROP/ALTER - this limits damage from SQL injection to data exfiltration rather than schema destruction, with no performance impact but requires database reconfiguration; (4) Enable SQL query logging and Web Application Firewall (WAF) rules to detect SQL injection patterns in the fullname parameter, alerting on union-based or time-based SQL injection signatures - provides detection but not prevention, useful for incident response. Contact CodeAstro for patch availability at https://codeastro.com/.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today