CVE-2025-10407 is a medium-severity SQL Injection vulnerability affecting SourceCodester Student Grading System version 1.0. The vulnerability resides in the /view_user.php file, where the 'ID' parameter is improperly sanitized, allowing an attacker to manipulate the SQL query executed by the application. This flaw enables remote attackers to inject malicious SQL code without requiring authentication or user interaction. Exploitation can lead to unauthorized access to the backend database, potentially exposing sensitive student and grading information, or allowing attackers to modify or delete data. The vulnerability's CVSS 4.0 vector indicates it is remotely exploitable (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but some level of privilege is needed (PR:L), no user interaction (UI:N), and has low to limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently in the wild, public exploit code is available, increasing the risk of exploitation.

For European organizations, particularly educational institutions using the SourceCodester Student Grading System 1.0, this vulnerability poses a risk of unauthorized data disclosure and data integrity compromise. Exposure of student records, grades, and personal information could lead to privacy violations under GDPR, resulting in legal and financial penalties. Additionally, manipulation of grading data could undermine academic integrity and institutional reputation. The remote exploitability without user interaction increases the risk of automated attacks or exploitation by malicious actors targeting educational infrastructure. The medium severity suggests moderate risk, but the presence of public exploit code necessitates prompt attention to prevent potential breaches.

Organizations should immediately audit their use of the SourceCodester Student Grading System version 1.0 and identify instances of the vulnerable /view_user.php endpoint. Since no official patch links are provided, mitigation should focus on implementing input validation and parameterized queries to prevent SQL injection. Specifically, developers should sanitize and validate the 'ID' parameter rigorously, employing prepared statements or stored procedures. Network-level protections such as Web Application Firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting this endpoint. Additionally, monitoring database logs for suspicious queries and unusual access patterns can help detect exploitation attempts. Organizations should also consider upgrading to a newer, patched version of the software if available or replacing the system with a more secure alternative. Regular security assessments and penetration testing focused on injection flaws are recommended to ensure ongoing protection.