Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
AnalysisAI
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fid parameter in the /OnlineClassroom/facultylogin endpoint, leading to unauthorized data access, modification, and denial of service. The vulnerability has a publicly available proof-of-concept exploit and is likely to be actively exploited given the moderate CVSS score (6.3) and confirmed POC availability.
Technical ContextAI
The vulnerability resides in the facultylogin functionality of CodeAstro Online Classroom, where user-supplied input in the fid parameter is passed directly into SQL queries without proper sanitization or parameterized query preparation. This is a classic SQL injection vulnerability (CWE-89) where an attacker can manipulate SQL logic by injecting SQL syntax through the fid field. The attack occurs over the network (AV:N) against the web-based classroom management system, requiring only low privileges (authenticated user account PR:L) and no user interaction (UI:N), making it relatively straightforward to exploit once an attacker gains initial access.
RemediationAI
The primary remediation is to upgrade CodeAstro Online Classroom to a patched version released by CodeAstro; however, no specific patch version number is provided in the available data. Contact CodeAstro immediately at https://codeastro.com/ to obtain the latest security update for version 1.0 or migrate to a newer release if available. In the interim, implement the following compensating controls: (1) Apply strict input validation and whitelisting on the fid parameter to accept only expected numeric or alphanumeric formats, rejecting any input containing SQL metacharacters (quotes, dashes, semicolons, comments); (2) enforce parameterized queries or prepared statements in the facultylogin endpoint code to prevent SQL syntax injection; (3) restrict network access to the /OnlineClassroom/facultylogin endpoint using a Web Application Firewall (WAF) rule that blocks requests containing SQL keywords ('union', 'select', 'insert', 'drop', etc.) in the fid parameter; (4) limit database account privileges - ensure the database user account used by the application has only SELECT permissions required for legitimate queries, preventing INSERT, UPDATE, DELETE, or DROP operations even if injection succeeds; (5) monitor authentication logs and SQL query logs for suspicious patterns in facultylogin requests, alerting on multiple failed login attempts or unexpected SQL error messages. These controls have a side effect of potentially impacting legitimate users if input filters are too restrictive; test thoroughly before deployment to production.
More in Online Classroom
View allSQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the sid parameter in
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Execut
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26928