CVE-2025-11089 is a SQL Injection vulnerability identified in the kidaze CourseSelectionSystem, specifically affecting an unknown function within the file /Profilers/PriProfile/COUNT3s4.php. The vulnerability arises from improper sanitization or validation of the 'cbranch' parameter, which can be manipulated remotely by an unauthenticated attacker to inject malicious SQL code. This injection could allow the attacker to interfere with the application's database queries, potentially leading to unauthorized data access, data modification, or even deletion. The product employs a rolling release model, which complicates pinpointing exact affected versions beyond the provided commit hash (42cd892b40a18d50bd4ed1905fa89f939173a464). The CVSS 4.0 base score is 6.9 (medium severity), reflecting the vulnerability's network attack vector, low attack complexity, no required privileges or user interaction, and limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation attempts. The lack of available patches or version updates at the time of disclosure necessitates immediate attention from users of this system.

For European organizations using the kidaze CourseSelectionSystem, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive educational data, including student course selections and potentially personal information. Exploitation could lead to unauthorized data disclosure or manipulation, undermining trust in educational institutions and potentially violating data protection regulations such as GDPR. The remote, unauthenticated nature of the attack vector increases the likelihood of exploitation, especially in environments where the system is exposed to the internet without adequate network segmentation or firewall protections. Additionally, data integrity issues could disrupt academic operations, causing administrative delays or errors in course enrollment processes. The medium severity rating suggests that while the impact is not catastrophic, the vulnerability is serious enough to warrant prompt remediation to prevent escalation or chaining with other vulnerabilities.

Organizations should immediately conduct a thorough audit of their kidaze CourseSelectionSystem deployments to identify affected instances. Given the rolling release model and absence of official patches, it is critical to implement compensating controls such as web application firewalls (WAFs) configured to detect and block SQL injection patterns targeting the 'cbranch' parameter. Input validation and sanitization should be enforced at the application level, ideally by developers reviewing and updating the vulnerable code segment. Network-level protections, including restricting access to the CourseSelectionSystem to trusted internal networks or VPNs, can reduce exposure. Monitoring and logging of database queries and web requests should be enhanced to detect anomalous activities indicative of exploitation attempts. Organizations should engage with the vendor for updates or patches and plan for timely application once available. Additionally, conducting penetration testing focused on SQL injection vectors can help validate the effectiveness of mitigations.