CVE-2025-10613 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Student Information System, specifically within an unspecified function in the /leveledit1.php file. The vulnerability arises from improper sanitization or validation of the 'level_id' parameter, allowing an attacker to inject malicious SQL code remotely without requiring user interaction or authentication. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N) with low attack complexity (AC:L), no privileges required (PR:L - low privileges), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is low individually but combined can lead to significant data exposure or disruption. Although no known exploits are currently observed in the wild, the public disclosure of the exploit increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, and no patches have been published yet. Given the nature of Student Information Systems, which typically store sensitive student data including personal information, grades, and attendance records, exploitation could lead to privacy breaches and data integrity issues.

For European organizations, particularly educational institutions using the itsourcecode Student Information System version 1.0, this vulnerability poses a moderate risk. Exploitation could result in unauthorized access to sensitive student data, violating GDPR and other data protection regulations, potentially leading to legal penalties and reputational damage. The integrity of academic records could be compromised, affecting student evaluations and institutional credibility. Availability impacts could disrupt administrative operations. Since the vulnerability requires only low privileges and no user interaction, attackers could automate exploitation attempts, increasing the threat level. The medium CVSS score reflects the moderate but tangible risk to confidentiality and integrity. Institutions relying on this software without timely mitigation may face data breaches and operational disruptions.

European organizations should immediately audit their use of the itsourcecode Student Information System to determine if version 1.0 is deployed. If so, they should restrict external access to the /leveledit1.php endpoint via network-level controls such as firewalls or web application firewalls (WAF) with SQL injection detection rules. Implement strict input validation and parameterized queries or prepared statements in the application code to prevent SQL injection. Until an official patch is released, consider isolating the affected system from the internet or limiting access to trusted internal networks only. Regularly monitor logs for suspicious activity targeting the 'level_id' parameter. Conduct security assessments and penetration testing focused on injection flaws. Additionally, ensure backups of critical data are up to date and tested for restoration to mitigate potential data loss or corruption. Organizations should also prepare incident response plans tailored to data breaches involving student information.