CVE-2025-10418 is a medium-severity SQL Injection vulnerability affecting SourceCodester Student Grading System version 1.0. The vulnerability resides in the /view_students.php file, specifically in an unknown functionality that processes the 'ID' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the intended SQL queries executed by the backend database. This can lead to unauthorized data access, data modification, or even deletion, depending on the database permissions and the nature of the injected payload. The vulnerability does not require user authentication or interaction, and the attack vector is network-based, making it accessible to remote attackers without prior access. The CVSS 4.0 base score is 5.3, reflecting a medium severity level with low complexity and no privileges required, but with limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, proof-of-concept code has been made publicly available, increasing the risk of exploitation. The lack of available patches or mitigations from the vendor further elevates the risk for organizations using this software. Given that the Student Grading System is likely used in educational institutions, the exposure of sensitive student data or manipulation of grading records could have significant operational and reputational consequences.

For European organizations, particularly educational institutions such as schools, colleges, and universities that deploy the SourceCodester Student Grading System 1.0, this vulnerability poses a risk of unauthorized access to sensitive student information, including grades and personal data. Exploitation could lead to data breaches violating GDPR requirements, resulting in legal penalties and loss of trust. Additionally, attackers could alter grading data, undermining academic integrity and potentially causing operational disruptions. The remote and unauthenticated nature of the vulnerability increases the likelihood of exploitation, especially in environments where the system is exposed to the internet or poorly segmented networks. The medium severity score suggests that while the impact is not catastrophic, the breach of confidentiality and integrity could have serious consequences for affected institutions. Furthermore, the absence of vendor patches means organizations must rely on compensating controls to mitigate risk, increasing the operational burden. The availability of public exploit code further raises the urgency for European organizations to address this vulnerability promptly.

1. Immediate network-level controls: Restrict access to the Student Grading System web interface by implementing IP whitelisting or VPN access to limit exposure to trusted users only. 2. Input validation and sanitization: If source code access is available, implement strict input validation on the 'ID' parameter in /view_students.php to prevent SQL injection, using parameterized queries or prepared statements. 3. Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to detect and block SQL injection attempts targeting the vulnerable parameter. 4. Segmentation: Isolate the grading system servers from the broader network to minimize lateral movement in case of compromise. 5. Monitoring and logging: Enable detailed logging of web application access and database queries to detect suspicious activities indicative of exploitation attempts. 6. Incident response readiness: Prepare for potential incidents by having a response plan that includes data backup verification and restoration procedures. 7. Vendor engagement: Engage with the vendor or community to obtain patches or updates and monitor for any forthcoming security advisories. 8. Consider migration: Evaluate alternative grading systems with active security support if remediation is not feasible in the short term.