CVE-2025-13122 identifies a SQL injection vulnerability in the SourceCodester Patients Waiting Area Queue Management System version 1.0, specifically in the getPatientAppointment function located in /php/api_patient_checkin.php. The vulnerability arises due to insufficient sanitization or validation of the appointmentID parameter, which is directly used in SQL queries. An attacker can remotely manipulate this parameter to inject arbitrary SQL commands, potentially extracting sensitive patient data, modifying records, or disrupting database integrity. The attack requires no authentication or user interaction, making it highly accessible to remote threat actors. The vulnerability is classified with a CVSS 4.0 score of 6.9, indicating a medium severity level with network attack vector, low complexity, and no privileges required. Although no active exploits have been reported in the wild, the public availability of exploit code increases the likelihood of exploitation attempts. The affected system is typically deployed in healthcare environments to manage patient queues, making the confidentiality and integrity of patient data critical. The lack of patches or vendor-provided fixes at the time of publication necessitates immediate mitigation through secure coding practices and input validation.

For European organizations, particularly healthcare providers using the affected queue management system, this vulnerability poses significant risks. Exploitation can lead to unauthorized disclosure of sensitive patient information, violating GDPR and other data protection regulations, potentially resulting in legal penalties and reputational damage. Data integrity may also be compromised, affecting appointment scheduling and patient care workflows, which could disrupt healthcare services. The remote and unauthenticated nature of the attack vector increases the risk of widespread exploitation, especially in environments with internet-facing API endpoints. Additionally, the public availability of exploit code lowers the barrier for attackers, including cybercriminals and hacktivists targeting healthcare infrastructure. The impact extends beyond data breaches to potential operational disruptions, undermining trust in healthcare IT systems across Europe.

Organizations should immediately implement strict input validation and sanitization for the appointmentID parameter to prevent SQL injection. Employing parameterized queries or prepared statements in the getPatientAppointment function is critical to eliminate direct SQL command injection. Network-level protections such as web application firewalls (WAFs) should be configured to detect and block SQL injection attempts targeting the vulnerable endpoint. Conduct thorough code reviews and security testing of the affected application components. If possible, isolate the queue management system from direct internet exposure and restrict access to trusted internal networks. Monitor logs for suspicious activities related to appointmentID parameter manipulation. Engage with the vendor or community to obtain patches or updates addressing this vulnerability. Finally, ensure compliance with GDPR by reviewing data access controls and incident response plans in case of exploitation.