CVE-2025-12929 is a SQL injection vulnerability identified in SourceCodester Survey Application System version 1.0. The flaw resides in the save_user and update_user functions within the /LoginRegistration.php file, where the 'fullname' parameter is not properly sanitized or validated before being used in SQL queries. This allows an attacker to inject malicious SQL code remotely, potentially manipulating the database to extract, modify, or delete data. The vulnerability does not require authentication or user interaction, making it easier to exploit. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the vulnerability's impact on confidentiality, integrity, and availability, combined with its ease of exploitation. Although no known exploits are currently active in the wild, a public exploit has been published, increasing the likelihood of attacks. The vulnerability may also affect other parameters, indicating a broader input validation issue within the application. The SourceCodester Survey Application System is a niche product used for managing survey data, and exploitation could lead to unauthorized access to sensitive survey responses, user information, or disruption of survey services. The lack of available patches at the time of publication necessitates immediate mitigation efforts by users of this software.

For European organizations using SourceCodester Survey Application System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of survey data, which may include personal or sensitive information. Successful exploitation could lead to unauthorized data disclosure, data tampering, or deletion, undermining trust and compliance with data protection regulations such as GDPR. Additionally, availability of the survey system could be impacted, disrupting business operations reliant on survey data collection and analysis. Organizations in sectors like market research, public opinion polling, and customer feedback management are particularly vulnerable. The remote, unauthenticated nature of the attack vector increases the risk of widespread exploitation if the software is exposed to the internet. The medium severity rating suggests that while the threat is serious, it may be mitigated with timely intervention. However, failure to address the vulnerability could lead to regulatory penalties and reputational damage in the European context.

1. Immediately implement input validation and sanitization on all user-supplied data, especially the 'fullname' parameter in the save_user and update_user functions. 2. Refactor the application code to use parameterized queries or prepared statements to prevent SQL injection. 3. Restrict direct internet exposure of the Survey Application System through network segmentation or firewall rules to limit attack surface. 4. Monitor application logs for unusual database query patterns or errors indicative of injection attempts. 5. If possible, upgrade to a patched version of the software once available from the vendor or apply community-provided patches. 6. Conduct a thorough security audit of the entire application to identify and remediate other potential injection points. 7. Educate developers and administrators on secure coding practices and the importance of input validation. 8. Implement web application firewalls (WAF) with SQL injection detection rules as an additional protective layer. 9. Regularly back up survey data to enable recovery in case of data corruption or deletion. 10. Review and update incident response plans to handle potential exploitation scenarios effectively.