CVE-2025-14967 identifies a SQL injection vulnerability in the itsourcecode Student Management System version 1.0, located in the /candidates_report.php file. The vulnerability arises from improper sanitization of the 'school_year' parameter, which an attacker can manipulate to inject arbitrary SQL commands. This injection flaw allows remote attackers to execute unauthorized SQL queries without authentication or user interaction, potentially exposing sensitive student data or enabling unauthorized data modification. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, low complexity, and no required privileges or user interaction. Although no active exploitation has been confirmed, a public exploit is available, increasing the risk of exploitation. The vulnerability impacts confidentiality, integrity, and availability, as attackers could extract sensitive information, alter records, or disrupt system operations. The lack of patches or vendor-provided fixes necessitates immediate mitigation efforts. The vulnerability is particularly concerning for educational institutions relying on this software for student data management, as exploitation could lead to data breaches or operational disruptions.

For European organizations, particularly educational institutions using the itsourcecode Student Management System, this vulnerability poses significant risks. Exploitation could lead to unauthorized disclosure of sensitive student information, including academic records and personal data, violating GDPR and other data protection regulations. Integrity of student data could be compromised, affecting academic evaluations and reporting. Availability of the system might also be impacted if attackers execute disruptive SQL commands. The presence of a public exploit increases the likelihood of attacks, potentially targeting institutions with weaker security postures. Data breaches could result in reputational damage, regulatory fines, and operational challenges. Given the critical role of student management systems, disruption could affect administrative processes and educational delivery. European organizations must consider the legal and compliance implications alongside technical risks.

Organizations should immediately implement input validation and sanitization for all user-supplied parameters, especially 'school_year' in /candidates_report.php. Employ parameterized queries or prepared statements to prevent SQL injection. If vendor patches become available, apply them promptly. In the absence of patches, consider deploying web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting this parameter. Conduct thorough code reviews and security testing of the application to identify and remediate similar vulnerabilities. Monitor database logs and application behavior for unusual queries or access patterns indicative of exploitation attempts. Educate developers and administrators on secure coding practices and incident response procedures. Regularly back up data and ensure recovery plans are in place to mitigate potential data integrity or availability impacts.