CVE-2025-4837 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Student Project Allocation System, specifically within the /make_group_sql.php file. The vulnerability arises from improper sanitization or validation of the input parameters mem1, mem2, and mem3, which are used in SQL queries. An attacker can manipulate these parameters remotely without any authentication or user interaction to inject malicious SQL code. This can lead to unauthorized access to the backend database, allowing the attacker to read, modify, or delete sensitive data stored within the system. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 6.9, reflecting its network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The Student Project Allocation System is typically used by educational institutions to manage student project group assignments, meaning that the compromised data could include student personal information, project details, and academic records. The vulnerability’s remote exploitability and lack of authentication requirements make it a significant risk for institutions relying on this software version without patches or mitigations in place.

For European organizations, particularly educational institutions such as universities and colleges that use the projectworlds Student Project Allocation System, this vulnerability poses a risk of data breaches involving student and academic information. Unauthorized access to the database could lead to exposure of personally identifiable information (PII), academic records, and project details, potentially violating GDPR and other data protection regulations. The integrity of project allocations could be compromised, disrupting academic processes and causing reputational damage. Although the vulnerability does not directly impact system availability, the potential for data manipulation or deletion could indirectly affect operational continuity. Furthermore, exploitation could serve as a foothold for further attacks within the institution’s network, increasing overall cybersecurity risk. The medium severity rating suggests that while the impact is significant, it may be limited by the scope of the affected system and the extent of data accessible via the injection point.

European organizations should prioritize the following specific actions: 1) Immediate code review and patching of the /make_group_sql.php file to implement proper input validation and parameterized queries or prepared statements to prevent SQL injection. 2) If a vendor patch is unavailable, apply web application firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the mem1, mem2, and mem3 parameters. 3) Conduct thorough security testing, including automated and manual penetration testing, focusing on all input vectors in the Student Project Allocation System. 4) Restrict database user permissions to the minimum necessary for application functionality to limit the impact of a successful injection. 5) Monitor logs for unusual database queries or errors indicative of injection attempts. 6) Educate IT and security teams on the vulnerability and ensure incident response plans include steps for SQL injection incidents. 7) Consider isolating the affected system within the network to reduce lateral movement risks until remediation is complete.