Campcodes Online Apartment Visitor Management System CVE-2025-11595
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Campcodes Online Apartment Visitor Management System 1.0. Impacted is an unknown function of the file /admin-profile.php. Performing a manipulation of the argument mobilenumber results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
AnalysisAI
SQL injection in Campcodes Online Apartment Visitor Management System 1.0 allows high-privileged remote attackers to manipulate the mobilenumber parameter in /admin-profile.php, potentially leading to unauthorized database access or modification. The vulnerability requires administrative privileges to exploit and has limited confidentiality and integrity impact; public exploit code is available but real-world exploitation risk remains low due to EPSS score of 0.03% and the administrative access prerequisite.
Technical ContextAI
The vulnerability is a classic SQL injection (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) occurring in a PHP-based web application. The /admin-profile.php endpoint fails to properly sanitize or parameterize the mobilenumber parameter before incorporating it into SQL queries. An attacker with administrative credentials can inject malicious SQL syntax into the mobilenumber field, potentially executing arbitrary database commands. The affected product is a visitor management system built on PHP, likely using a traditional SQL backend (MySQL/PostgreSQL) without prepared statements or input validation on this specific parameter.
RemediationAI
Upgrade to a patched version of Campcodes Online Apartment Visitor Management System if available from the vendor at www.campcodes.com. No specific vendor-released patch version is confirmed at this time. As an immediate compensating control, implement input validation on the mobilenumber parameter in /admin-profile.php by using parameterized queries (prepared statements) or stored procedures to prevent SQL injection. Restrict administrative access to a minimal set of trusted users through strong authentication and role-based access control. Apply a Web Application Firewall (WAF) rule to detect and block SQL injection patterns in the mobilenumber parameter. Contact Campcodes support for confirmation of patch availability and a timeline for security updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today