CVE-2026-11584
Description
SQL injection vulnerability in CodeAstro Student Attendance Management System 1.0 allows remote attackers to access and manipulate the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in CodeAstro Student Attendance Management System 1.0 allows remote attackers to access and manipulate the database.
Vulnerability
A SQL injection vulnerability exists in CodeAstro Student Attendance Management System version 1.0, specifically within the file /attendance-php/Admin/createClass.php when the action parameter is set to edit. The vulnerability arises from the direct use of the Id parameter in SQL queries without proper sanitization or validation, allowing for manipulation of database operations [1].
Exploitation
An attacker can exploit this vulnerability remotely by manipulating the Id parameter in a GET request to the /attendance-php/Admin/createClass.php?action=edit endpoint. By injecting malicious SQL code into the Id parameter, an attacker can alter or execute arbitrary SQL queries against the application's database [1].
Impact
Successful exploitation of this SQL injection vulnerability can lead to unauthorized access to the database, disclosure of sensitive information, data tampering, or even complete system control. In severe cases, it could also result in service interruption [1].
Mitigation
No specific patched version or release date has been disclosed in the available references. Users are advised to consult the vendor for potential updates or security advisories. The vendor's homepage is available at [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly sanitize user-supplied input in the 'Id' parameter, allowing it to be directly included in SQL queries."
Attack vector
The vulnerability is in the file `/attendance-php/Admin/createClass.php` and is triggered by manipulating the `Id` parameter. An attacker can send a crafted GET request to the server, injecting malicious SQL code into the `Id` parameter. This allows the attacker to execute arbitrary SQL commands on the database, as the input is not properly validated or escaped before being used in a query [ref_id=1]. The attack can be launched remotely and does not require authentication.
Affected code
The vulnerability resides in the `/attendance-php/Admin/createClass.php` file, specifically when processing the `Id` parameter. The issue arises because this parameter is used directly in SQL queries without adequate sanitization or validation [ref_id=1].
What the fix does
The advisory suggests using prepared statements and parameter binding to prevent SQL injection. This approach separates SQL code from user-supplied data, ensuring that user input is treated as literal data and not executable SQL commands. Additionally, the advisory recommends strict input validation and filtering, minimizing database user permissions, and conducting regular security audits to identify and fix vulnerabilities.
Preconditions
- networkThe attacker must be able to send requests to the vulnerable server.
- inputThe attacker must be able to control the value of the 'Id' parameter.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.