CVE-2025-12929 is a SQL injection vulnerability identified in SourceCodester Survey Application System version 1.0. The vulnerability resides in the save_user and update_user functions within the /LoginRegistration.php script, specifically through improper sanitization of the 'fullname' parameter. An attacker can remotely craft malicious input to this parameter, injecting SQL commands that the backend database executes. This can lead to unauthorized data disclosure, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the application’s data. The vulnerability requires no authentication and no user interaction, making it easier to exploit. The published exploit code increases the likelihood of active exploitation attempts. Although the primary affected parameter is 'fullname', other input parameters may also be vulnerable due to similar coding practices. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and low to limited impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This vulnerability is critical for environments where the Survey Application System is used to collect sensitive or strategic information, as attackers could manipulate survey data or extract sensitive user information. No official patches have been linked yet, so mitigation relies on input validation, parameterized queries, or temporary access restrictions.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to sensitive survey data, manipulation of user records, and potential disruption of survey operations. This could damage organizational reputation, violate data protection regulations such as GDPR, and result in financial or operational losses. Organizations relying on the SourceCodester Survey Application System for decision-making or customer feedback may face data integrity issues, undermining trust in their processes. The remote, unauthenticated nature of the exploit increases risk, especially for publicly accessible survey portals. Additionally, if attackers leverage this vulnerability to pivot into internal networks, broader compromise is possible. The impact is heightened in sectors like market research, public administration, and healthcare, where survey data may be sensitive or regulated.

Immediate mitigation should include implementing strict input validation and sanitization for all user-supplied parameters, especially 'fullname'. Employ parameterized queries or prepared statements to prevent SQL injection. If possible, restrict access to the /LoginRegistration.php endpoint via network controls or web application firewalls (WAFs) configured to detect and block SQL injection patterns. Monitor logs for suspicious activity targeting the vulnerable parameters. Organizations should prioritize updating or patching the application once an official fix is released by SourceCodester. Until then, consider disabling or limiting the functionality of save_user/update_user if feasible. Conduct a thorough code review to identify and remediate similar vulnerabilities in other parts of the application. Educate development teams on secure coding practices to prevent recurrence.