Student Attendance Management System
Monthly
SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.