CVE-2025-13585 identifies a SQL injection vulnerability in the itsourcecode COVID Tracking System version 1.0, located in the /login.php script where the 'code' parameter is improperly sanitized. This allows attackers to inject arbitrary SQL commands remotely without authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting network attack vector, low attack complexity, and no privileges or user interaction required. Exploiting this flaw could enable attackers to extract sensitive data, modify or delete records, or disrupt service availability by manipulating the backend database. The vulnerability arises from inadequate input validation and lack of parameterized queries in the login processing logic. Although no active exploits are reported, the public disclosure of exploit code increases the likelihood of attacks. The COVID Tracking System is critical for public health monitoring, making the integrity and confidentiality of its data paramount. The vulnerability's exploitation could lead to exposure of personal health information, undermining trust and compliance with data protection regulations such as GDPR.

For European organizations, exploitation of this SQL injection vulnerability could result in unauthorized access to sensitive health data collected by the COVID Tracking System, including personally identifiable information and health status. This could lead to privacy violations, regulatory penalties under GDPR, and reputational damage. Data integrity could be compromised, affecting the accuracy of tracking and reporting COVID-19 cases, which is critical for public health decision-making. Availability impacts may arise if attackers disrupt the system or delete data, impeding pandemic response efforts. Given the public health importance, such disruptions could have broader societal consequences. The medium severity rating indicates a significant but not critical risk, yet the public availability of exploit code elevates urgency. European healthcare providers, government agencies, and contractors using this system are particularly vulnerable, especially if they have not applied mitigations or patches.

Organizations should immediately audit their deployment of the itsourcecode COVID Tracking System version 1.0 and restrict access to the /login.php endpoint where feasible. Implement strict input validation and sanitization on the 'code' parameter, employing parameterized queries or prepared statements to prevent SQL injection. If available, apply official patches or updates from the vendor promptly. In the absence of patches, consider deploying web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the vulnerable parameter. Conduct thorough code reviews and penetration testing to identify and remediate similar injection flaws elsewhere in the application. Monitor logs for suspicious activity indicative of exploitation attempts. Additionally, ensure that database accounts used by the application have the least privileges necessary to limit potential damage. Finally, establish incident response plans to quickly address any breaches stemming from this vulnerability.