CVE-2025-13568 identifies a SQL injection vulnerability in the itsourcecode COVID Tracking System version 1.0, located in the /admin/?page=people endpoint. The vulnerability arises from improper sanitization of the 'ID' parameter, allowing an attacker to inject malicious SQL code remotely. This flaw enables unauthorized database queries that can lead to data leakage, modification, or deletion within the system's backend database. The attack vector is network accessible without user interaction but requires low privileges (likely administrative access to the web interface). The CVSS 4.0 vector indicates no user interaction is needed, and the attack complexity is low. The vulnerability affects confidentiality, integrity, and availability but with limited scope and impact, as indicated by the medium severity score of 5.3. No official patches have been published yet, and no known exploits are active in the wild, but a proof-of-concept exploit is publicly available, increasing the risk of exploitation. The COVID Tracking System is likely used by public health authorities to monitor and manage pandemic-related data, making the confidentiality and integrity of this data critical. Exploitation could lead to unauthorized access to sensitive personal health information or disruption of tracking operations.

For European organizations, exploitation of this SQL injection vulnerability could result in unauthorized disclosure of sensitive health data, undermining patient privacy and violating GDPR regulations. Integrity of COVID tracking data could be compromised, leading to inaccurate reporting and potentially flawed public health responses. Availability impacts could disrupt critical pandemic monitoring services, delaying interventions. Given the public health importance, such disruptions could have cascading effects on healthcare resource allocation and policy decisions. The medium severity rating reflects moderate risk, but the sensitive nature of the data involved elevates the potential consequences. Organizations relying on this software for pandemic management must consider the reputational damage and legal liabilities arising from data breaches. Furthermore, attackers could leverage this vulnerability as a foothold for further network intrusion, especially if the system is integrated with other healthcare infrastructure.

Immediate mitigation steps include implementing strict input validation and sanitization on the 'ID' parameter to prevent SQL injection. Refactoring the code to use parameterized queries or prepared statements is essential to eliminate injection vectors. Restrict administrative interface access through network segmentation, VPNs, or IP whitelisting to reduce exposure. Monitor logs for suspicious query patterns or repeated access attempts targeting the vulnerable endpoint. Apply web application firewalls (WAFs) with custom rules to detect and block SQL injection payloads. Since no official patch is currently available, organizations should consider disabling or restricting the vulnerable functionality until a fix is released. Conduct thorough security assessments of the COVID Tracking System and related infrastructure to identify additional weaknesses. Educate administrators on the risks and signs of exploitation. Finally, ensure regular backups and incident response plans are in place to recover from potential compromises.