CVE-2025-11032 is a SQL Injection vulnerability identified in the kidaze CourseSelectionSystem, specifically affecting versions up to commit 42cd892b40a18d50bd4ed1905fa89f939173a464. The vulnerability arises from improper handling of the 'CPU' argument in the file /Profilers/PriProfile/COUNT3s6.php, allowing an attacker to manipulate SQL queries executed by the system. This flaw can be exploited remotely without any authentication or user interaction, making it accessible to unauthenticated attackers over the network. The product follows a rolling release model, which complicates precise version tracking, but the vulnerability affects all versions up to the specified commit. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is rated low, indicating that while exploitation can lead to unauthorized data access or modification, the scope and severity of damage are somewhat limited. No known exploits are currently reported in the wild, but a public exploit has been published, increasing the risk of active exploitation. The vulnerability's presence in a course selection system suggests that educational institutions using this software could be targeted, potentially exposing sensitive student and academic data or disrupting course registration processes.

For European organizations, particularly educational institutions such as universities and colleges using the kidaze CourseSelectionSystem, this vulnerability poses a risk of unauthorized access to student records, course enrollment data, and potentially other sensitive academic information. Exploitation could lead to data breaches compromising personal identifiable information (PII), academic records, and enrollment details, impacting privacy compliance under GDPR. Additionally, attackers could manipulate or corrupt course selection data, disrupting academic operations and causing reputational damage. Although the vulnerability is rated medium severity, the ease of remote exploitation without authentication increases the threat level. The rolling release nature of the software may delay patch deployment, prolonging exposure. Given the critical role of course selection systems in academic administration, any disruption or data compromise could have significant operational and legal consequences for European educational entities.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately audit their deployment of kidaze CourseSelectionSystem to identify affected versions, focusing on the presence of the vulnerable commit or earlier. 2) Apply any available patches or updates from the vendor promptly; if no official patch exists due to the rolling release model, consider rolling back to a known secure version or applying custom input validation and sanitization on the 'CPU' parameter to prevent SQL injection. 3) Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the vulnerable endpoint (/Profilers/PriProfile/COUNT3s6.php). 4) Conduct thorough logging and monitoring of database queries and web application logs to detect anomalous activities indicative of exploitation attempts. 5) Restrict network access to the course selection system to trusted internal networks or VPNs where feasible, reducing exposure to remote attackers. 6) Educate IT and security teams about the vulnerability and ensure incident response plans include steps for SQL injection attacks. 7) Engage in regular security assessments and penetration testing focusing on injection vulnerabilities to proactively identify and remediate similar issues.