CVE-2025-11595
BaseFortify
Publication date: 2025-10-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | online_apartment_visitor_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11595 is a critical SQL injection vulnerability in Campcodes Online Apartment Visitor Management System version 1.0. It exists in the /admin-profile.php file due to improper handling of the 'mobilenumber' parameter, which is not properly validated or sanitized. This allows attackers to inject malicious SQL code remotely, potentially accessing, modifying, or deleting sensitive data in the database without proper authorization. [1, 2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to unauthorized access to the database, allowing attackers to view, modify, or delete sensitive information. It can also result in full system compromise or service disruption. Since no authentication is required to exploit it, the risk is significant, potentially affecting system security and business continuity. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to unauthorized access and manipulation of sensitive data, which may result in data breaches. Such breaches can cause non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. Therefore, the vulnerability poses a risk to compliance with these standards. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'mobilenumber' parameter in the /admin-profile.php file for SQL injection. A proof-of-concept uses a time-based blind SQL injection payload leveraging the MySQL SLEEP() function sent as a multipart POST request. Additionally, vulnerable targets can be identified using Google dorking with the query: inurl:admin-profile.php. Specific commands to test might include sending crafted POST requests with SQL injection payloads in the 'mobilenumber' parameter and observing response delays or errors indicative of SQL injection. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and filtering on the 'mobilenumber' parameter to ensure inputs conform to expected formats, using prepared statements or parameterized queries to prevent SQL injection, minimizing database user permissions by avoiding high-privilege accounts for routine operations, and conducting regular security audits of code and systems. Replacement of the affected component with an alternative product is also suggested if remediation is not feasible. [2, 3, 1]