CRITICAL🇵🇱 Wersja polska

CVE-2025-70150

CVSS 9.8v3.1pub. 2026-02-18upd. 2026-02-23

CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter.

🤖 AI Analysis
How it works

The attacker sends an HTTP request to the delete_members.php endpoint, providing the member record identifier in the 'id' parameter. The file does not verify the identity or permissions of the requester, so the deletion operation is performed without any access control. This allows a person without any account in the system to manipulate the database.

Impact

An attacker without any privileges can permanently delete any member records from the system, leading to data loss and disruption of application continuity. In extreme cases, it is possible to completely clear the organization's member database.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. Until the fix is implemented, it is recommended to restrict network access to the delete_members.php file at the web server or firewall level and implement authentication requirements for all data-modifying operations.

Who is affected

CodeAstro Membership Management System version 1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Codeastro Membership Management System

    APP
    Codeastro
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-70149CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Codeastro Membership Management System via parametr ID

CVE-2024-25867CRITICAL9.1PL ✓ten sam produkt

SQL Injection w CodeAstro Membership Management System via add_type.php

CVE-2025-70148HIGH7.5ten sam produkt

Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management Syste...

CVE-2024-46472HIGH8.6ten sam produkt

CodeAstro Membership Management System 1.0 is vulnerable to SQL Injection via the parameter 'email' in the Log...

CVE-2024-46471HIGH7.5ten sam produkt

The Directory Listing in /uploads/ Folder in CodeAstro Membership Management System 1.0 exposes the structure ...