CVE Alert: CVE-2025-11350 – Campcodes – Online Apartment Visitor Management System
CVE-2025-11350
A security flaw has been discovered in Campcodes Online Apartment Visitor Management System 1.0. The affected element is an unknown function of the file /bwdates-reports-details.php. The manipulation of the argument fromdate/todate results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
AI Summary Analysis
Risk verdict
High risk: public exploit available and remote access without authentication makes rapid exploitation plausible.
Why this matters
The flaw enables SQL injection via a visible endpoint, potentially exposing or tampering visitor data and related records. With no user interaction required, an attacker could exfiltrate sensitive information or alter reports, threatening confidentiality and integrity of property management data and undermining business operations.
Most likely attack path
An attacker uses fromdate/todate inputs to trigger an injection in bwdates-reports-details.php. Given AV:N, AC:L, PR:N, UI:N, the attempt requires no credentials or user action and can succeed over the network. Exploitation could yield data leakage (C) and potential data modification (I) with low to moderate impact per CVSS, enabling further reconnaissance or partial disruption but limited by scope and permissions of the database user.
Who is most exposed
Sites running Campcodes Online Apartment Visitor Management System 1.0 with publicly accessible PHP endpoints are at risk, typical of small-to-mid-sized property management deployments hosted on shared or cloud web servers.
Detection ideas
- Web server/app logs show repeated requests to bwdates-reports-details.php with manipulated fromdate/todate parameters.
- SQL error messages or anomalies in responses indicating injection attempts (tautologies, UNION SELECT patterns).
- Unusual data retrieval patterns or spikes in DB query latency tied to the vulnerable endpoint.
- IDS/WAF alerts for SQLi signatures targeting PHP-based endpoints.
Mitigation and prioritisation
- Apply vendor patch or upgrade to fixed version as soon as available; if unavailable, implement strict input validation and parameterised queries at the application layer.
- Refactor the endpoint to use prepared statements; enforce least-privilege database accounts.
- Disable or temporarily restrict access to the vulnerable endpoint until patched; implement WAF rules to block SQLi patterns.
- Run targeted tests in a staging environment before redeploy; ensure comprehensive logging and alerting for future injections.
- If KEV/EPSS indicators become available (high), elevate to priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
