Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability has been found in CodeAstro Online Classroom 1.0. The impacted element is an unknown function of the file /OnlineClassroom/studentdetails. The manipulation of the argument deleteid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the deleteid parameter in the /OnlineClassroom/studentdetails endpoint, enabling unauthorized data access, modification, and potential denial of service. The vulnerability has publicly available exploit code and confirmed exploitation potential, affecting all versions up to 1.0.
Technical ContextAI
The vulnerability exists in the student details management functionality of CodeAstro Online Classroom. The /OnlineClassroom/studentdetails endpoint fails to properly sanitize or parameterize the deleteid input parameter before incorporating it into SQL queries. This is a classic SQL injection flaw (CWE-89) where attacker-controlled input is concatenated directly into dynamic SQL statements without input validation or prepared statement usage. The CPE cpe:2.3:a:codeastro:online_classroom:*:*:*:*:*:*:*:* indicates all versions of the product are affected. The vulnerability requires network access and low-level privileges (PR:L in CVSS vector), suggesting the attacker must be an authenticated user of the system, such as a student or legitimate user account.
RemediationAI
Immediate action required: Contact CodeAstro for patched versions and apply the update to all instances of Online Classroom. Until patching is possible, implement input validation and parameterized queries (prepared statements) in the /OnlineClassroom/studentdetails endpoint, specifically for the deleteid parameter - replace string concatenation with parameterized SQL to prevent injection. Additionally, apply least-privilege database access controls by restricting the application's database user account to only the minimum required permissions (removing rights to drop tables, alter schema, or access sensitive data outside the application's scope). Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the deleteid parameter, such as detecting single quotes, SQL keywords (UNION, SELECT, DROP), and comment sequences. However, note that WAF alone is insufficient and may be bypassed with encoding - this must be paired with code-level fixes. Enable database query logging and monitoring to detect injection attempts. Restrict network access to the /OnlineClassroom/studentdetails endpoint to trusted internal networks only if possible, reducing the attack surface to authenticated local users rather than remote access. For comprehensive guidance, refer to the VulDB submission at https://vuldb.com/submit/807695 and monitor https://codeastro.com/ for official security patches.
More in Online Classroom
View allSQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fid parameter in
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the sid parameter in
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Execut
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26929