This vulnerability involves an SQL Injection in the contactno parameter of the forgot-password.php page in Apartment Visitors Management System V1.1. It allows unauthenticated attackers to alter SQL queries executed by the backend, which can lead to unauthorized retrieval of sensitive data stored in the database. The vulnerability is published but lacks detailed CVSS scoring and vendor remediation information. No patch or official fix has been documented, and no known exploits have been reported.

Successful exploitation could allow an attacker to access sensitive database contents without authentication, potentially exposing user data or other confidential information managed by the system. The exact scope and extent of data exposure depend on the database structure and contents but represent a significant confidentiality risk.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the affected functionality, implementing web application firewalls with SQL injection detection, or applying input validation and sanitization as temporary mitigations.