CVE-2025-13325 is a SQL injection vulnerability identified in the itsourcecode Student Information System (SIS) version 1.0. The vulnerability resides in the /enrollment_edit1.php script, where the en_id parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without authentication or user interaction, enabling attackers to manipulate backend database queries. Potential consequences include unauthorized retrieval, modification, or deletion of sensitive student information stored in the database. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to low complexity of attack and no required privileges, but limited impact scope and partial confidentiality, integrity, and availability impact. Although no public patches have been released, the exploit details have been disclosed, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the software, and no known exploits are currently active in the wild. The lack of authentication requirement and remote attack vector make this vulnerability particularly concerning for institutions relying on this SIS for managing enrollment and student data. The vulnerability highlights the importance of secure coding practices such as input validation and use of parameterized queries to prevent SQL injection attacks.

For European organizations, especially educational institutions using the itsourcecode Student Information System 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of student data. Exploitation could lead to unauthorized access to sensitive personal information, including enrollment records, grades, and possibly financial data. This could result in data breaches subject to GDPR penalties, reputational damage, and loss of trust. Integrity of data could be compromised, leading to incorrect academic records or enrollment statuses, disrupting administrative processes. Availability could also be affected if attackers execute destructive queries or cause database corruption. The remote and unauthenticated nature of the vulnerability increases the attack surface, making it easier for threat actors to target multiple institutions. Given the critical role of student information systems in educational operations, exploitation could disrupt academic activities and compliance reporting. The medium severity score suggests moderate but non-negligible risk, warranting prompt remediation to avoid escalation or chaining with other vulnerabilities.

To mitigate CVE-2025-13325, organizations should immediately implement input validation and sanitization on the en_id parameter to prevent injection of malicious SQL code. Employing parameterized queries or prepared statements is essential to ensure that user input is treated as data rather than executable code. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. If patches or updates from itsourcecode become available, they should be applied promptly. In the absence of official patches, consider deploying web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable parameter. Conduct thorough code reviews and security testing of the SIS application to identify and remediate similar injection points. Regularly monitor logs for suspicious database query patterns or anomalies. Additionally, ensure that backups of student data are maintained securely to enable recovery in case of data corruption or loss. Educate IT staff and administrators about the vulnerability and the importance of timely remediation.