Impact
The vulnerability is a remote SQL injection in CodeAstro Apartment Visitor Management System 1.0. Manipulating the ‘remark’ argument in /apartment an attacker to inject arbitrary SQL commands. This flaw is equivalent to a classic SQL injection (CWE‑89) and may also involve improper handling of special HTML elements within input, as indicated by CWE‑74. An attacker could thus read, modify, or delete sensitive data stored in the Apartment Visitor Management System, version 1.0. The flaw resides specifically in the action-visitor.php module, which processes visitor data and accepts the ‘remark’ field. No other versions or additional components are identified as vulnerable.
Affected Systems
CodeAstro’s Apartment Visitor Management System version 1.0 is affected, specifically the action‑visitor.php module accessed via /apartment-visitor/action‑visitor.php, which processes visitor remarks. The vulnerability has been identified only in this version; no other components or versions are reported to be affected.
Risk and Exploitability
The CVSS score is 5.3, indicating moderate severity. The EPSS score is below 1%, implying that the likelihood of exploitation in the wild is low. The vulnerability is not listed in CISA's KEV catalog, and exploit details are publicly available. Because the attack vector is remote, an unauthenticated outsider could target the endpoint, provided they can submit a crafted ‘remark’ parameter. The lack of high exploit probability and absence from KEV reduces urgency but the risk is non‑zero and could lead to data exposure or loss.
OpenCVE Enrichment