CVE-2025-11350 is a SQL injection vulnerability identified in version 1.0 of the Campcodes Online Apartment Visitor Management System, specifically within the /bwdates-reports-details.php script. The vulnerability arises due to insufficient input validation or sanitization of the 'fromdate' and 'todate' parameters, which are used to generate date range reports. An attacker can remotely send crafted HTTP requests manipulating these parameters to inject arbitrary SQL commands into the backend database query. This injection can allow unauthorized reading, modification, or deletion of data, potentially exposing sensitive visitor information or disrupting system operations. The vulnerability does not require authentication or user interaction, increasing its exploitability. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploitation has been reported, the public availability of exploit code raises the likelihood of attacks. The absence of official patches necessitates immediate mitigation efforts by administrators. This vulnerability highlights the critical need for secure coding practices, especially in web applications handling sensitive data such as visitor management systems.

The SQL injection vulnerability can lead to unauthorized disclosure of sensitive visitor data, including personal identification and visit logs, compromising confidentiality. Attackers may also alter or delete records, impacting data integrity and potentially disrupting apartment security operations, affecting availability. Since the system manages visitor access, exploitation could facilitate unauthorized physical access or tracking. The ease of remote exploitation without authentication broadens the attack surface, potentially affecting all deployments of version 1.0. Organizations relying on this system risk reputational damage, regulatory penalties for data breaches, and operational disruptions. The public release of exploit code increases the urgency of addressing this vulnerability to prevent widespread abuse.

1. Immediately restrict external network access to the Campcodes Online Apartment Visitor Management System, especially the /bwdates-reports-details.php endpoint, using firewalls or VPNs. 2. Implement strict input validation and sanitization on the 'fromdate' and 'todate' parameters, ensuring only valid date formats are accepted. 3. Refactor database queries to use parameterized prepared statements or stored procedures to eliminate direct concatenation of user input. 4. Monitor web server logs for suspicious requests targeting the vulnerable parameters and implement intrusion detection signatures. 5. If possible, upgrade to a patched version once released by the vendor or apply vendor-provided workarounds. 6. Conduct a thorough audit of database access logs and visitor data for signs of compromise. 7. Educate system administrators on secure coding and patch management practices to prevent similar vulnerabilities. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to block SQL injection attempts targeting this system.