CVE-2025-13248 identifies a SQL injection vulnerability in SourceCodester Patients Waiting Area Queue Management System version 1.0, specifically within an unspecified function in the /php/api_patient_schedule.php file. The vulnerability arises from improper sanitization of the appointmentID parameter, which is directly used in SQL queries. This allows remote attackers to inject malicious SQL code without requiring authentication or user interaction, enabling them to manipulate the backend database. Potential impacts include unauthorized data access, data modification, or deletion, and possibly disruption of queue management services critical to healthcare operations. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction needed, but limited confidentiality, integrity, and availability impact. Although no active exploitation has been reported, the public availability of exploit code increases the risk of attacks. The affected product is used in healthcare settings to manage patient queues, making the confidentiality and availability of patient scheduling data particularly sensitive. The lack of vendor patches or official remediation guidance necessitates immediate defensive measures by users.

For European organizations, especially healthcare providers using the SourceCodester Patients Waiting Area Queue Management System, this vulnerability poses a significant risk to patient data confidentiality and operational continuity. Exploitation could lead to unauthorized access to sensitive patient appointment data, manipulation or deletion of scheduling information, and potential denial of service in patient queue management. Such disruptions could degrade healthcare service quality and violate data protection regulations like GDPR, leading to legal and reputational consequences. The medium severity rating reflects that while the vulnerability is exploitable remotely without authentication, the impact is somewhat limited to the affected system's data and services. However, given the critical nature of healthcare operations, even partial data compromise or service disruption can have serious consequences. The public disclosure of exploit code increases the likelihood of opportunistic attacks targeting vulnerable installations in Europe.

Organizations should immediately audit their use of the SourceCodester Patients Waiting Area Queue Management System version 1.0 and identify exposed instances of /php/api_patient_schedule.php. Since no official patches are currently available, implement the following mitigations: 1) Apply strict input validation and sanitization on the appointmentID parameter to prevent injection of malicious SQL code. 2) Refactor database queries to use parameterized statements or prepared queries to eliminate direct concatenation of user inputs. 3) Restrict database user permissions to the minimum necessary, preventing unauthorized data manipulation or access. 4) Employ web application firewalls (WAFs) with SQL injection detection rules to block suspicious requests targeting the vulnerable endpoint. 5) Monitor logs for unusual query patterns or repeated failed attempts to exploit the vulnerability. 6) Plan for upgrading or replacing the vulnerable system with a secure alternative or patched version once available. 7) Conduct security awareness training for IT staff to recognize and respond to exploitation attempts promptly.