CVE Alert: CVE-2025-11599 - Campcodes - Online Apartment Visitor Management System

CVE-2025-11599

HIGHNo exploitation known

A weakness has been identified in Campcodes Online Apartment Visitor Management System 1.0. This impacts an unknown function of the file /forgot-password.php. This manipulation of the argument email causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Online Apartment Visitor Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-11T12:02:05.841Z

Updated

2025-10-11T12:02:05.841Z

References

https://vuldb.com/?id.327920

https://vuldb.com/?ctiid.327920

https://vuldb.com/?submit.671910

https://github.com/feiyang85/cve/issues/1

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

Urgent: public exploit available for remote, unauthenticated SQL injection; treat as priority 1.

Why this matters

An attacker can reach the vulnerability over the network without authentication, potentially extracting or manipulating data via the forgot-password flow. While impact on each component is rated low, the ease of access and public PoC materially raises the risk of credential exposure or information disclosure, especially in environments with exposed web endpoints.

Most likely attack path

Attacker targets the forgot-password.php endpoint, supplying crafted input to trigger SQL injection. No user interaction or privileges are required, enabling automated probing from the internet. The attack could read user data or alter records, with potential follow-on attempts leveraging disclosed data for further access.

Who is most exposed

Organizations hosting the affected web application version in public or semi-public networks are at highest risk, particularly those with openly accessible forgot-password endpoints or default deployments lacking input sanitisation.

Detection ideas

Monitor for anomalous requests to forgot-password.php containing SQL keywords or unusual email parameters.
Look for spikes in requests to the endpoint, especially from unfamiliar IPs or user-agent strings.
Correlate sudden data-access patterns or credential reset activity with unusual query log entries.
WAF/IDS alerts for SQLi signatures targeting the parameter in forgot-password flows.
Review database logs for unexpected union/select patterns or data dumps tied to reset requests.

Mitigation and prioritisation

Apply vendor patch or upgrade to patched release; verify patch applicability in staging before production.
Enforce parameterised queries and prepared statements; tighten input validation on email field.
Deploy WAF/IPS rules targeting SQLi patterns; block exploit payloads for forgot-password endpoints.
Implement compensating controls: least-privilege DB accounts, monitor and alert on reset-related data access, restrict remote management.
If KEV/EPSS indicators are present, treat as priority 1 and accelerate change-management and testing.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-11599, online-apartment-visitor-management-system, OSINT, threatintel