CVE-2026-11583
Description
SQL injection in CodeAstro Student Attendance Management System 1.0 allows remote attackers to access, modify, or delete database data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in CodeAstro Student Attendance Management System 1.0 allows remote attackers to access, modify, or delete database data.
Vulnerability
A SQL injection vulnerability exists in the CodeAstro Student Attendance Management System version 1.0, specifically within the /attendance-php/Admin/createClass.php file. The vulnerability arises from the improper handling of the className parameter, which is directly incorporated into SQL queries without adequate sanitization or validation [1].
Exploitation
An attacker can exploit this vulnerability remotely by manipulating the className parameter. By injecting malicious SQL code into this parameter, an attacker can alter the intended SQL queries. The provided payload example suggests a time-based blind SQL injection technique targeting MySQL [1].
Impact
Successful exploitation of this SQL injection vulnerability allows attackers to gain unauthorized access to the system's database. This can lead to sensitive data leakage, data tampering, or deletion, and potentially compromise the entire system. In severe cases, it could also result in service interruption [1].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult the vendor for information on mitigation or updated versions. The vendor's website is available at [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application directly incorporates user-supplied input from the 'className' parameter into SQL queries without proper sanitization or validation."
Attack vector
The vulnerability is present in the `/attendance-php/Admin/createClass.php` file. An attacker can exploit this by manipulating the `className` argument, which is used directly in SQL queries. This allows for remote exploitation as the attack can be initiated over the network. The attacker can inject malicious SQL code to alter or extract data from the database [ref_id=1].
Affected code
The vulnerability resides in the `/attendance-php/Admin/createClass.php` file. Specifically, the `className` parameter is susceptible to manipulation, leading to SQL injection [ref_id=1].
What the fix does
The advisory suggests using prepared statements with parameter binding to prevent SQL injection. This method separates SQL code from user input, ensuring that user-supplied values are treated as data and not executable SQL commands. Additionally, strict input validation and filtering are recommended to ensure data conforms to expected formats. Minimizing database user permissions and conducting regular security audits are also advised [ref_id=1].
Preconditions
- networkThe attack can be initiated remotely.
- authThe attacker requires low privileges (PR:L) to exploit this vulnerability.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.