Impact
The vulnerability is a classic SQL injection flaw caused by improper handling of the visname parameter in the visitor-entry.php file. This weakness is defined by CWE-74 and CWE-89, meaning that unvalidated input is concatenated directly into SQL queries. An attacker could manipulate the visname value to inject arbitrary SQL statements, potentially reading, modifying, or deleting visitor database records and compromising the confidentiality and integrity of the system.
Affected Systems
CodeAstro’s Apartment Visitor Management System, specifically version 1.0, is affected. The issue resides in the visitor-entry.php component processed by the application and is not limited to any particular operating environment beyond the web context of the product.
Risk and Exploitability
With a CVSS score of 5.3 the vulnerability is considered moderate to high risk. The EPSS score is below 1%, indicating a low probability of mass exploitation, yet the fact that an exploit exists and can be triggered remotely via the visname argument suggests that an attacker can initiate an attack from any network accessible to the web application. The vulnerability is not listed in the CISA KEV catalog, but its public availability and potential impact warrant cautious monitoring and remediation.
OpenCVE Enrichment