CVE-2025-4720 is a path traversal vulnerability identified in SourceCodester Student Result Management System version 1.0. The vulnerability exists in the file academic/core/drop_student.php, where the 'img' argument can be manipulated by an attacker to perform path traversal attacks. This allows an attacker to access files and directories outside the intended scope of the application by modifying the file path input. The vulnerability can be exploited remotely without requiring user interaction or authentication, increasing its risk profile. Although the exact code details are unknown, the vulnerability enables an attacker to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other protected data. The CVSS 4.0 base score is 5.3, indicating a medium severity level, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality and integrity is limited but present, with some impact on availability possible if critical files are accessed or manipulated. No public exploits are currently known in the wild, but the exploit details have been disclosed publicly, increasing the risk of exploitation. No official patches or mitigations have been linked yet, so organizations using this system should prioritize risk assessment and implement compensating controls.

For European organizations, the impact of this vulnerability depends on the deployment of the SourceCodester Student Result Management System version 1.0 within educational institutions or related administrative bodies. Exploitation could lead to unauthorized disclosure of sensitive student data, administrative credentials, or internal system files, potentially violating GDPR and other data protection regulations. This could result in reputational damage, regulatory fines, and operational disruptions. Since the vulnerability allows remote exploitation without authentication, attackers could leverage it to gain initial access or escalate privileges within the affected environment. The exposure of sensitive academic records or personal data could have significant privacy implications. Additionally, if attackers access system files or configuration data, they might further compromise the system or pivot to other internal resources. The medium severity rating suggests a moderate risk, but the lack of patches and public exploit code availability necessitate prompt attention to avoid potential breaches.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Restrict access to the vulnerable application by IP whitelisting or network segmentation to limit exposure to trusted networks only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in HTTP requests, specifically targeting the 'img' parameter in drop_student.php. 3) Conduct code review and apply input validation and sanitization to the 'img' parameter, ensuring that directory traversal characters (e.g., '../') are filtered or rejected. 4) Monitor application logs for suspicious access patterns or attempts to exploit path traversal. 5) If feasible, replace or upgrade the Student Result Management System to a more secure version or alternative product. 6) Implement strict file system permissions to limit the web server's access to only necessary directories, minimizing the impact of any successful traversal. 7) Educate IT and security teams about this vulnerability to ensure rapid detection and response. 8) Prepare incident response plans specific to data breaches involving academic records.