CVE-2025-10477 is a SQL Injection vulnerability identified in the kidaze CourseSelectionSystem, specifically affecting an unknown function within the /Profilers/PriProfile/eligibility.php file. The vulnerability arises from improper sanitization or validation of the 'Branch' argument, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker with low privileges to execute arbitrary SQL queries against the backend database. The product does not use versioning, making it difficult to determine affected versus unaffected releases beyond the identified commit hash (42cd892b40a18d50bd4ed1905fa89f939173a464). The vulnerability has a CVSS 4.0 base score of 5.3, categorized as medium severity, reflecting a network attack vector with low complexity and no user interaction required. The impact on confidentiality, integrity, and availability is low, but the exploitability is enhanced by the lack of authentication and remote attack vector. Although no known exploits are currently observed in the wild, a public exploit is available, increasing the risk of exploitation. The vulnerability could allow attackers to extract sensitive data, modify database contents, or disrupt course selection processes, potentially impacting educational institutions using this system.

For European organizations, particularly educational institutions and universities utilizing the kidaze CourseSelectionSystem, this vulnerability poses a risk of unauthorized data access and manipulation. The SQL injection could lead to exposure of student records, course enrollment data, and potentially sensitive personal information, violating GDPR and other data protection regulations. Integrity of course selection data could be compromised, leading to administrative disruptions and loss of trust. Availability impact is limited but possible if attackers execute destructive SQL commands. The medium severity rating suggests moderate risk, but the presence of a public exploit increases urgency. Organizations may face regulatory penalties and reputational damage if exploited. The remote and unauthenticated nature of the vulnerability makes it a viable target for opportunistic attackers, including cybercriminals and hacktivists targeting educational sectors in Europe.

Given the lack of official patches or versioning information, European organizations should immediately implement the following mitigations: 1) Conduct a thorough code review and apply input validation and parameterized queries or prepared statements for all database interactions involving the 'Branch' parameter, especially in /Profilers/PriProfile/eligibility.php. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this endpoint. 3) Restrict database user privileges to the minimum necessary to limit the impact of any injection. 4) Monitor logs for suspicious SQL query patterns or unusual access to the eligibility.php resource. 5) Isolate or segment the CourseSelectionSystem environment to limit lateral movement if compromised. 6) Engage with the vendor or community to obtain or develop patches and maintain an inventory of affected systems. 7) Educate administrators on the risks and signs of exploitation. These steps go beyond generic advice by focusing on immediate code-level remediation, network-level protections, and operational monitoring tailored to this specific vulnerability.