CVE-2025-11033 is a SQL Injection vulnerability identified in the kidaze CourseSelectionSystem, specifically affecting an unknown function within the file /Profilers/PriProfile/COUNT3s7.php. The vulnerability arises from improper sanitization or validation of the 'cbe' argument, which an attacker can manipulate to inject malicious SQL code. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The product uses a rolling release model, which complicates version tracking and patch management, as no specific version details for affected or fixed releases are available. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The vulnerability could enable attackers to extract sensitive data, modify or delete records, or disrupt the availability of the course selection system, which is critical for academic institutions relying on this software for student course management.

For European organizations, particularly educational institutions and universities using the kidaze CourseSelectionSystem, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to student records, course enrollment data, and potentially sensitive personal information, violating data protection regulations such as GDPR. Integrity of academic records could be compromised, affecting course registrations and academic progress tracking. Availability disruptions could impair administrative operations during critical enrollment periods. The medium severity rating suggests a moderate but tangible risk, especially given the lack of authentication requirements and remote exploitability. Organizations may face reputational damage, legal consequences, and operational disruptions if the vulnerability is exploited.

Given the rolling release nature of the product and absence of explicit patches, European organizations should implement immediate compensating controls. These include: 1) Deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'cbe' parameter in /Profilers/PriProfile/COUNT3s7.php; 2) Conducting thorough input validation and sanitization on all user-supplied data, especially parameters related to course selection; 3) Restricting database user privileges to the minimum necessary to limit the impact of potential injection; 4) Monitoring logs for anomalous SQL queries or repeated failed attempts indicative of injection attacks; 5) Engaging with the vendor to obtain timely updates or patches and testing any new releases promptly; 6) Considering temporary isolation or additional access controls around the vulnerable module until a fix is available; 7) Educating IT staff about the vulnerability and ensuring incident response plans include scenarios involving SQL injection attacks.