CVE-2025-10665 is a medium-severity SQL Injection vulnerability found in the kidaze CourseSelectionSystem, specifically affecting an unknown function within the file /Profilers/PProfile/COUNT3s3.php. The vulnerability arises from improper sanitization or validation of the 'csem' parameter, which allows an attacker to inject malicious SQL code. This injection flaw enables remote exploitation without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability affects the version identified by the commit hash 42cd892b40a18d50bd4ed1905fa89f939173a464, with no explicit version numbering due to the product's rolling release model. Although no public exploit is confirmed in the wild, an exploit is publicly available, increasing the risk of exploitation. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), meaning attackers could potentially read, modify, or delete data within the database but with some constraints. The absence of privilege requirements (PR:L) means a low-level authenticated user can exploit this, which raises concerns for environments where multiple users have access to the system. The rolling release nature complicates patch management, as specific patched versions are not clearly defined, requiring organizations to monitor updates closely. The vulnerability is critical for applications relying on the CourseSelectionSystem for managing course enrollments, as exploitation could lead to unauthorized data access or manipulation, potentially disrupting academic operations or exposing sensitive student information.

For European organizations, especially educational institutions using the kidaze CourseSelectionSystem, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to student records, course enrollment data, and potentially sensitive personal information, violating GDPR requirements for data protection and privacy. Data integrity could be compromised, leading to incorrect course assignments or enrollment statuses, disrupting academic processes. Availability impacts, while limited, could still affect system reliability during peak enrollment periods. The medium severity suggests that while the threat is not immediately critical, the ease of exploitation without user interaction and the availability of public exploits increase the urgency for mitigation. Institutions with multi-user access environments are particularly vulnerable due to the low privilege requirement for exploitation. Additionally, the lack of clear patch versions complicates timely remediation, increasing exposure time. The reputational damage and potential regulatory penalties from data breaches in the education sector in Europe could be substantial.

European organizations should implement the following specific mitigations: 1) Immediate code review and sanitization of the 'csem' parameter in the /Profilers/PProfile/COUNT3s3.php file to prevent SQL injection, using parameterized queries or prepared statements. 2) Restrict access to the vulnerable function to only highly trusted users and monitor usage logs for suspicious activity. 3) Employ Web Application Firewalls (WAF) with custom rules to detect and block SQL injection attempts targeting the 'csem' parameter. 4) Since the product uses a rolling release model, establish a continuous monitoring process for updates from kidaze and apply patches as soon as they are released. 5) Conduct regular security assessments and penetration testing focused on injection vulnerabilities in the CourseSelectionSystem. 6) Implement strict database user permissions to limit the impact of any successful injection, ensuring the application uses least privilege principles. 7) Educate system administrators and users about the risks and signs of exploitation attempts to enhance early detection. 8) Consider network segmentation to isolate the CourseSelectionSystem from other critical systems to contain potential breaches.