Impact
The CodeAstro Human Resource Management System version 1.0 contains a weakness in the Invoice function located in Payroll.php. The ID argument can be manipulated to cause arbitrary SQL injection. Remote exploitation is possible, and the exploit code has been released publicly. This flaw could allow an attacker to send crafted SQL statements that the application will execute against the database.
Affected Systems
Affected installations are those running CodeAstro Human Resource Management System 1.0, specifically the Payroll Invoice Module and its Invoice function in the Payroll.php controller. No patched version is indicated in the CNA data, so all current 1.0 deployments remain vulnerable.
Risk and Exploitability
The CVSS score of 5.3 reflects moderate severity. The EPSS score is not available, so no data is available on the likelihood of exploitation. The vulnerability is not catalogued in CISA KEV. A remote attacker can supply a malicious ID parameter via HTTP requests or forms, potentially invoking the SQL injection vulnerability. Publicly available exploit code facilitates such attacks.
OpenCVE Enrichment