CVE-2025-13325 identifies a SQL Injection vulnerability in the itsourcecode Student Information System version 1.0. The vulnerability resides in the /enrollment_edit1.php script, where the en_id parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring authentication or user interaction, enabling attackers to manipulate backend database queries. Potential consequences include unauthorized retrieval, modification, or deletion of sensitive student records, which compromises data confidentiality and integrity. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to the lack of authentication but limited impact scope and complexity. Although no active exploits are reported, the public disclosure increases the risk of exploitation by threat actors. The vulnerability affects only version 1.0 of the software, and no official patches have been published yet. The attack vector is network-based, and the vulnerability does not require social engineering, making it accessible to remote attackers scanning for vulnerable endpoints. The lack of secure coding practices, such as parameterized queries or prepared statements, is the root cause. This vulnerability is particularly critical for educational institutions relying on this system to manage enrollment and student data, as exploitation could lead to data breaches and regulatory non-compliance.

For European organizations, particularly educational institutions using the itsourcecode Student Information System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of student data. Exploitation could lead to unauthorized disclosure of personal information, manipulation of enrollment records, or disruption of student services. Such incidents could result in reputational damage, legal penalties under GDPR, and loss of trust from students and stakeholders. The remote and unauthenticated nature of the attack increases the likelihood of exploitation, especially in environments with exposed web interfaces and insufficient network segmentation. Additionally, the medium severity score suggests that while the impact is serious, it may not lead to full system compromise or widespread service disruption. However, the educational sector's critical role and the sensitivity of the data involved elevate the importance of timely mitigation. Organizations with limited cybersecurity resources or outdated software management practices are particularly vulnerable. The lack of an official patch increases the window of exposure, necessitating immediate compensating controls.

1. Implement immediate input validation and sanitization on the en_id parameter to prevent injection of malicious SQL code. 2. Refactor the vulnerable code to use parameterized queries or prepared statements, eliminating direct concatenation of user inputs into SQL commands. 3. Restrict access to the /enrollment_edit1.php endpoint through network segmentation, firewall rules, or VPN access to limit exposure. 4. Monitor database logs and web server access logs for unusual query patterns or repeated failed attempts that may indicate exploitation attempts. 5. Conduct a thorough code review of the entire application to identify and remediate similar injection flaws. 6. Engage with the vendor or community to obtain or develop official patches or updates addressing this vulnerability. 7. Educate IT and security teams on secure coding practices and the importance of timely patching. 8. If patching is not immediately possible, deploy Web Application Firewalls (WAF) with custom rules to detect and block SQL injection payloads targeting the en_id parameter. 9. Regularly back up critical data and verify restoration procedures to minimize impact in case of data manipulation or loss. 10. Ensure compliance with GDPR by documenting the vulnerability, mitigation steps, and any incidents related to this flaw.