CodeAstro Gym Management System CVE-2025-12242
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in CodeAstro Gym Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/actions/check-attendance.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/actions/check-attendance.php, resulting in limited confidentiality and integrity compromise. The vulnerability requires valid administrator credentials, has publicly available exploit code, but carries very low real-world risk with an EPSS score of 0.03% due to authentication requirements and limited impact scope (CVE4.0 vector shows only partial confidentiality/integrity loss, no availability impact).
Technical ContextAI
The vulnerability exists in PHP-based functionality within the administrative interface of a gym management web application. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates unsafe handling of user-supplied input (the ID parameter) before use in SQL queries. The attack vector targets a specific administrative action handler file (check-attendance.php) that processes attendance data. When the ID parameter is not properly validated or parameterized, an authenticated administrator can inject arbitrary SQL commands, potentially extracting or modifying database records related to attendance information.
RemediationAI
No vendor-released patch identified at time of analysis. CodeAstro should be contacted directly via https://codeastro.com/ to request a patched version. Immediate compensating controls: (1) Restrict /admin/actions/check-attendance.php access to a whitelist of known admin IP addresses using firewall or web application firewall rules - this eliminates the remote network vector while maintaining functionality; (2) enforce parameterized SQL queries or stored procedures in the check-attendance.php handler to prevent SQL injection regardless of input - coordinate with CodeAstro for implementation; (3) rotate and enforce strong, unique administrative credentials; disable default admin accounts. Longer-term: migrate to a maintained gym management system with security update support, as CodeAstro appears to have minimal vendor responsiveness. Trade-off: IP whitelisting may break legitimate remote admin access if staff work from multiple locations.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today