CVE-2025-1183

MediumPublic PoC

Published: 12 February 2025

Published

12 February 2025

Modified

25 February 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0010 27.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1183 is a medium-severity Injection (CWE-74) vulnerability in Codezips Gym Management System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating and sanitizing user inputs such as the login_id parameter in /dashboard/admin/more-userprofile.php.

SI-2 Flaw Remediation good match

prevent

Requires identification, prioritization, and timely remediation of the specific SQL injection flaw in CVE-2025-1183.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify SQL injection issues like the login_id manipulation in the Gym Management System.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1087.001 Local Account Discovery

Adversaries may attempt to get a listing of local system accounts.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (/dashboard/admin/more-userprofile.php) enables remote exploitation (T1190), arbitrary database queries for data collection (T1213.006), and enumeration of local accounts via user profile data (T1087.001).

NVD Description

A vulnerability has been found in CodeZips Gym Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard/admin/more-userprofile.php. The manipulation of the argument login_id leads to sql injection. The attack can…

be launched remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-1183 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting CodeZips Gym Management System version 1.0. The flaw resides in an unknown functionality of the file /dashboard/admin/more-userprofile.php, where manipulation of the login_id argument enables SQL injection. The vulnerability was published on 2025-02-12 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is remotely exploitable by attackers possessing low privileges, such as authenticated users with basic access. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling partial unauthorized data access, modification of database content, or low-level denial of service.

Advisories detailing the issue are available via VulDB entries at https://vuldb.com/?ctiid.295087, https://vuldb.com/?id.295087, and https://vuldb.com/?submit.495410, along with additional information at https://www.yuque.com/polaris-pisym/aevk1q/fyu4dy8fglbs6rzy. The exploit has been publicly disclosed and may be used by attackers.

Details

CWE(s): CWE-74 CWE-89

Affected Products

codezips

gym management system

1.0

CVEs Like This One

CVE-2025-0231Same product: Codezips Gym Management System

CVE-2025-1854Same product: Codezips Gym Management System

CVE-2025-1206Same product: Codezips Gym Management System

CVE-2025-0881Same product: Codezips Gym Management System

CVE-2025-1856Same product: Codezips Gym Management System

CVE-2025-0532Same product: Codezips Gym Management System

CVE-2025-0541Same product: Codezips Gym Management System

CVE-2025-0535Same product: Codezips Gym Management System

CVE-2025-0562Same product: Codezips Gym Management System

CVE-2025-1188Same product: Codezips Gym Management System

References

https://vuldb.com/?ctiid.295087
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.295087
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.495410
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.yuque.com/polaris-pisym/aevk1q/fyu4dy8fglbs6rzy
Exploit, Third Party Advisory · cna@vuldb.com