CVE-2025-11107 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Scheduling System, specifically within the /schedulingsystem/addcourse.php file. The vulnerability arises from improper sanitization or validation of the 'corcode' parameter, allowing an attacker to manipulate this input to inject malicious SQL commands. This flaw enables remote exploitation without requiring authentication or user interaction, as the attack vector is network accessible (AV:N), with low attack complexity (AC:L). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), meaning an attacker could potentially extract sensitive data, modify database contents, or disrupt service, but the scope is limited to the affected system. The CVSS 4.0 base score is 6.9, categorized as medium severity. Although no public exploit is currently known in the wild, the exploit code has been made public, increasing the risk of exploitation. The vulnerability does not require privileges or user interaction, making it easier for attackers to leverage. The absence of patches or mitigation links indicates that users of this software must take proactive steps to secure their systems. SQL Injection vulnerabilities are critical because they can lead to unauthorized data access, data corruption, or full system compromise depending on the backend database permissions and application architecture. Given the nature of the scheduling system, which likely manages course or event data, exploitation could lead to unauthorized disclosure of sensitive scheduling information or disruption of scheduling operations.

For European organizations using the code-projects Simple Scheduling System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of scheduling data. Educational institutions, training centers, or businesses relying on this system for course or event management could face data breaches exposing sensitive information such as course details, user identities, or internal scheduling. Integrity compromise could lead to unauthorized changes in schedules, causing operational disruptions. Availability impact, while limited, could still affect business continuity if the system is rendered unstable or unusable. Given the remote exploitability without authentication, attackers could target vulnerable systems en masse, potentially leading to widespread disruption. The public availability of exploit code increases the likelihood of opportunistic attacks, including automated scanning and exploitation by cybercriminals. Additionally, regulatory compliance risks exist under GDPR if personal data is exposed or mishandled due to this vulnerability, potentially resulting in fines and reputational damage.

1. Immediate mitigation should include restricting external access to the affected scheduling system, ideally isolating it behind firewalls or VPNs to limit exposure. 2. Implement input validation and parameterized queries or prepared statements in the addcourse.php script to sanitize the 'corcode' parameter and prevent SQL injection. 3. If source code modification is not feasible, deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the vulnerable parameter. 4. Conduct thorough code audits and penetration testing on the scheduling system to identify and remediate any additional injection points. 5. Monitor logs for suspicious activity related to the 'corcode' parameter or unusual database queries. 6. Engage with the vendor or community to obtain patches or updates; if none are available, consider migrating to alternative scheduling solutions with active security support. 7. Educate system administrators and users about the risks and signs of exploitation to enable rapid detection and response. 8. Regularly back up scheduling data and verify backup integrity to enable recovery in case of data corruption or loss.