CVE-2025-13568 identifies a SQL injection vulnerability in the itsourcecode COVID Tracking System version 1.0. The vulnerability exists in an unspecified function within the /admin/?page=people endpoint, where the ID parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands. This flaw can be exploited remotely without requiring user interaction, but does require low-level privileges, such as an authenticated user with limited rights. The vulnerability impacts the confidentiality, integrity, and availability of the system's database by enabling unauthorized data retrieval, modification, or deletion. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the attack vector is network-based, with low attack complexity and no user interaction needed, but requiring some privileges. No patches have been published yet, and no active exploits are reported in the wild, though proof-of-concept exploit code is available, increasing the risk of exploitation. The COVID Tracking System likely stores sensitive health data, making this vulnerability particularly concerning for organizations managing pandemic response data. The lack of authentication bypass means attackers must have some access, but the low privilege requirement means many users could potentially exploit this flaw. The vulnerability highlights the need for secure coding practices around input validation and parameterized queries in web applications handling sensitive data.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive COVID-19 tracking data, which may include personal health information of citizens. Exploitation could lead to unauthorized data disclosure, manipulation of health records, or disruption of tracking operations, undermining public health efforts and trust. The availability of the system could also be affected if attackers execute destructive SQL commands. Given the critical role of COVID tracking systems in managing public health responses, any compromise could have cascading effects on healthcare services and policy decisions. Moreover, data breaches involving health information are subject to strict regulatory penalties under GDPR, increasing the legal and financial impact on affected organizations. The medium severity rating suggests that while the vulnerability is not trivially exploitable by unauthenticated attackers, the risk remains substantial due to the sensitivity of the data and the availability of exploit code.

Organizations should immediately audit and sanitize all inputs to the /admin/?page=people endpoint, specifically the ID parameter, by implementing parameterized queries or prepared statements to prevent SQL injection. Restrict administrative interface access using strong authentication and network segmentation to limit exposure. Monitor database logs and application behavior for unusual queries or access patterns indicative of exploitation attempts. Apply the principle of least privilege to user accounts, ensuring that users have only the necessary permissions to perform their roles. If possible, isolate the COVID Tracking System from external networks or place it behind a web application firewall (WAF) configured to detect and block SQL injection attempts. Since no official patch is currently available, consider temporary mitigations such as disabling the vulnerable functionality or restricting access to trusted IP addresses. Regularly update and review security controls and prepare to deploy patches once released by the vendor. Conduct security awareness training for administrators to recognize and respond to potential exploitation signs.