Impact
An unknown function within the /apartment-visitor/add-apartment.php script of CodeAstro Apartment Visitor Management System 1.0 accepts the apartmentno parameter without proper validation, leading to an SQL injection flaw. The flaw permits an attacker to inject malicious SQL through the apartmentno field, potentially compromising the integrity and confidentiality of the underlying database. The vulnerability can be triggered remotely by submitting crafted HTTP requests, as documented by the public exploit.
Affected Systems
The affected product is CodeAstro Apartment Visitor Management System version 1.0. No other variants or versions are listed in the CNA data.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate risk, and the EPSS score is not available. The flaw is not listed in the CISA KEV catalog, but the exploit has already been released to the public, which raises the likelihood of real‑world attacks. Given that the vulnerability can be triggered remotely through web traffic, the attack vector is likely an HTTP request to the vulnerable endpoint. Organisations using the product should assume the risk of intentional exploitation until a vendor fix or mitigating controls are applied.
OpenCVE Enrichment