CVE-2025-10479 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Online Student File Management System. The vulnerability resides in an unspecified function within the /index.php file, where manipulation of the 'stud_no' parameter allows an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts confidentiality, integrity, and availability at a low level, as the vector indicates low impact on these security properties (VC:L/VI:L/VA:L). The CVSS score of 6.9 categorizes this as a medium severity issue. The exploit has been publicly released, increasing the risk of exploitation, although no known active exploitation in the wild has been reported yet. SQL Injection vulnerabilities typically allow attackers to read, modify, or delete data within the backend database, potentially leading to data leakage, unauthorized data modification, or denial of service. Given the context of a student file management system, sensitive educational records and personal information could be at risk. The lack of authentication requirements and the remote attack vector make this vulnerability particularly dangerous for exposed systems. However, the limited impact ratings suggest that the system may have some mitigating controls or that the injection point does not allow full database compromise. Nonetheless, the presence of a public exploit increases the urgency for remediation.

For European organizations, particularly educational institutions using the SourceCodester Online Student File Management System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of student records and related data. Exploitation could lead to unauthorized disclosure of personal information protected under GDPR, resulting in regulatory penalties and reputational damage. The ability to remotely exploit the vulnerability without authentication increases the attack surface, especially for institutions with externally accessible systems. Data manipulation or deletion could disrupt academic operations, affecting availability and trustworthiness of records. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement. The medium severity rating indicates a moderate but tangible threat level, warranting prompt attention to avoid potential data breaches and operational disruptions.

1. Immediate application of patches or updates from the vendor once available is the primary mitigation step. Since no patch links are currently provided, organizations should monitor SourceCodester's official channels for updates. 2. In the interim, implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'stud_no' parameter in /index.php. 3. Conduct input validation and sanitization on all user-supplied inputs, especially 'stud_no', to ensure only expected data formats are accepted. 4. Restrict external access to the Online Student File Management System by limiting exposure through network segmentation, VPN access, or IP whitelisting. 5. Perform regular security audits and penetration testing focused on injection flaws to identify and remediate similar vulnerabilities. 6. Monitor logs for suspicious database queries or unusual application behavior indicative of exploitation attempts. 7. Educate development teams on secure coding practices to prevent SQL injection vulnerabilities in future releases.