CVE-2025-5008 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Online Time Table Generator, specifically within the /admin/add_teacher.php file. The vulnerability arises from improper sanitization or validation of the 'e' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries on the backend database, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability does not require any user interaction or privileges, making it remotely exploitable over the network. Although the CVSS 4.0 score is 6.9 (medium severity), the impact on confidentiality, integrity, and availability is significant due to the potential for data leakage or corruption. The vulnerability affects only version 1.0 of the product, and while no official patches or fixes have been published yet, the exploit details have been publicly disclosed, increasing the risk of exploitation. Other parameters in the same script might also be vulnerable, indicating a broader input validation issue within the application. The lack of authentication and user interaction requirements further heightens the threat, as attackers can launch automated attacks without any barriers.

For European organizations using the projectworlds Online Time Table Generator 1.0, this vulnerability poses a serious risk to the confidentiality and integrity of sensitive scheduling and personnel data. Educational institutions and administrative bodies relying on this software could face unauthorized disclosure of teacher or student information, manipulation of timetable data, or disruption of scheduling services. Such data breaches could lead to regulatory non-compliance under GDPR, resulting in legal penalties and reputational damage. Additionally, attackers could leverage this vulnerability as a foothold to pivot into internal networks, escalating the impact beyond the affected application. The public disclosure of the exploit increases the likelihood of opportunistic attacks, especially targeting organizations that have not applied mitigations or upgrades. Given the critical nature of scheduling systems in educational and organizational contexts, service availability could also be impacted if attackers execute destructive SQL commands or cause database corruption.

European organizations should immediately assess their exposure by identifying deployments of projectworlds Online Time Table Generator version 1.0. Since no official patches are currently available, organizations should implement the following specific mitigations: 1) Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'e' parameter and other inputs in /admin/add_teacher.php. 2) Restrict access to the /admin directory via IP whitelisting or VPN to limit exposure to trusted users only. 3) Conduct thorough input validation and sanitization on all parameters, especially those used in SQL queries, employing parameterized queries or prepared statements if possible. 4) Monitor database logs for suspicious queries indicative of injection attempts. 5) Consider isolating the affected application in a segmented network zone to reduce lateral movement risk. 6) Plan for an upgrade or replacement of the vulnerable software version as soon as a vendor patch or secure alternative becomes available. 7) Educate administrative users about the risk and signs of exploitation attempts. These targeted actions go beyond generic advice by focusing on immediate containment and risk reduction until a permanent fix is deployed.