Impact
The System contains a function in index.php that accepts an email parameter without proper input validation. This allows an attacker to inject arbitrary SQL statements through that parameter, resulting in a classic SQL injection vulnerability (CWE-74 and CWE-89). An unauthenticated attacker can supply a crafted email value to read, modify or delete data that the application stores in its database. The compromise can affect confidentiality, integrity and availability of employee leave records and other sensitive information.
Affected Systems
The affected product is CodeAstro Simple Online Leave Management System version 1.0. No other versions or variants are listed as impacted.
Risk and Exploitability
The CVSS score of 6.9 signals a medium‑severity risk. The EPSS score is currently not available, so specific exploit probability is unknown. The vulnerability is publicly disclosed and can be triggered from the internet through the web interface, indicating that the attack vector is remote. An attacker does not need special credentials; knowledge of the URL and the ability to transmit a crafted email parameter is sufficient to exploit the flaw. The vulnerability is not in the CISA KEV catalog.
OpenCVE Enrichment