CVE-2025-10407 is a SQL Injection vulnerability identified in SourceCodester Student Grading System version 1.0. The vulnerability exists in the /view_user.php file, where the 'ID' parameter is improperly sanitized, allowing an attacker to manipulate the SQL query executed by the application. This flaw enables remote attackers to inject arbitrary SQL commands without requiring authentication or user interaction. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting its moderate impact and ease of exploitation. Exploiting this vulnerability could allow an attacker to read, modify, or delete data from the underlying database, potentially leading to unauthorized disclosure of sensitive student information, data integrity issues, or denial of service if critical database operations are disrupted. The exploit code is publicly available, increasing the risk of exploitation, although no known active exploitation in the wild has been reported yet. The vulnerability does not require user interaction but does require low privileges (PR:L), indicating that some level of access to the system or application is necessary to exploit the flaw. The vulnerability impacts confidentiality, integrity, and availability to a limited extent due to the partial scope and limited privileges required.

For European organizations, particularly educational institutions using the SourceCodester Student Grading System 1.0, this vulnerability poses a risk of unauthorized access to student records and grading data. Compromise of such data could lead to privacy violations under GDPR, reputational damage, and potential legal consequences. The integrity of grading data could be undermined, affecting academic outcomes and trust in the institution. Availability could also be impacted if attackers manipulate or delete critical data, disrupting academic operations. Given the public availability of exploit code, the risk of exploitation increases, especially in environments where patching and security controls are lax. European educational entities often handle sensitive personal data, making the confidentiality impact particularly significant. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if attackers escalate privileges or move laterally.

Organizations should immediately audit their use of SourceCodester Student Grading System 1.0 and identify any instances of the vulnerable /view_user.php component. Since no official patches are currently linked, mitigation should focus on implementing input validation and parameterized queries to prevent SQL injection. Specifically, developers should sanitize and validate the 'ID' parameter rigorously, using prepared statements or stored procedures. Web application firewalls (WAFs) can be deployed to detect and block SQL injection attempts targeting this endpoint. Access controls should be tightened to restrict who can reach the vulnerable functionality, and monitoring should be enhanced to detect anomalous database queries or application behavior. If possible, upgrading to a newer, patched version of the software or migrating to a more secure grading system is recommended. Regular security assessments and code reviews should be conducted to identify similar injection flaws. Finally, organizations should ensure backups of critical data are maintained to enable recovery in case of data tampering or loss.