CVE-2025-5675: SQL Injection in Campcodes Online Teacher Record Management System
A vulnerability was found in Campcodes Online Teacher Record Management System 1.0. It has been classified as critical. This affects an unknown part of the file /trms/admin/bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AI Analysis
Technical Summary
CVE-2025-5675 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Teacher Record Management System, specifically within the /trms/admin/bwdates-reports-details.php file. The vulnerability arises due to improper sanitization or validation of the 'fromdate' and 'todate' parameters, which are used to filter or query report data. An attacker can manipulate these parameters remotely without any authentication or user interaction, injecting malicious SQL code that the backend database executes. This can lead to unauthorized data access, data modification, or potentially full compromise of the underlying database. The CVSS 4.0 vector indicates no privileges or user interaction are required, and the attack can be performed remotely over the network. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), suggesting partial but significant compromise possibilities. Although the CVSS score is 6.9 (medium severity), the critical classification by the vendor likely reflects the sensitivity of the data handled by this system (teacher records). No official patches or mitigations have been published yet, and no known exploits are reported in the wild, but public disclosure of the exploit code increases the risk of exploitation. The system is used for managing teacher records, which may contain personally identifiable information (PII) and sensitive educational data.
Potential Impact
For European organizations, particularly educational institutions or government bodies managing teacher records, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive personal data of teachers, including identity details, employment records, and potentially sensitive performance or disciplinary information. This could result in privacy violations under GDPR, leading to regulatory penalties and reputational damage. Additionally, attackers could manipulate or delete records, disrupting administrative operations and impacting the availability and integrity of educational data. The remote and unauthenticated nature of the attack increases the risk of widespread exploitation, especially if the system is exposed to the internet. Given the critical nature of educational data and the importance of maintaining trust in public institutions, this vulnerability could have serious operational and compliance consequences for European entities using this product.
Mitigation Recommendations
Immediate mitigation should focus on restricting access to the vulnerable endpoint by implementing network-level controls such as IP whitelisting or VPN-only access to the management interface. Input validation and parameter sanitization must be enforced on the 'fromdate' and 'todate' parameters to prevent SQL injection; this includes using prepared statements or parameterized queries in the backend code. Organizations should conduct a thorough code review of the affected module and apply secure coding practices. In the absence of an official patch, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting these parameters. Monitoring and logging access to the vulnerable endpoint should be enhanced to detect suspicious activity. Finally, organizations should plan for an update or patch deployment once available from the vendor and conduct a risk assessment to identify any potential data breaches resulting from exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-5675: SQL Injection in Campcodes Online Teacher Record Management System
Description
A vulnerability was found in Campcodes Online Teacher Record Management System 1.0. It has been classified as critical. This affects an unknown part of the file /trms/admin/bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AI-Powered Analysis
Technical Analysis
CVE-2025-5675 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Teacher Record Management System, specifically within the /trms/admin/bwdates-reports-details.php file. The vulnerability arises due to improper sanitization or validation of the 'fromdate' and 'todate' parameters, which are used to filter or query report data. An attacker can manipulate these parameters remotely without any authentication or user interaction, injecting malicious SQL code that the backend database executes. This can lead to unauthorized data access, data modification, or potentially full compromise of the underlying database. The CVSS 4.0 vector indicates no privileges or user interaction are required, and the attack can be performed remotely over the network. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), suggesting partial but significant compromise possibilities. Although the CVSS score is 6.9 (medium severity), the critical classification by the vendor likely reflects the sensitivity of the data handled by this system (teacher records). No official patches or mitigations have been published yet, and no known exploits are reported in the wild, but public disclosure of the exploit code increases the risk of exploitation. The system is used for managing teacher records, which may contain personally identifiable information (PII) and sensitive educational data.
Potential Impact
For European organizations, particularly educational institutions or government bodies managing teacher records, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive personal data of teachers, including identity details, employment records, and potentially sensitive performance or disciplinary information. This could result in privacy violations under GDPR, leading to regulatory penalties and reputational damage. Additionally, attackers could manipulate or delete records, disrupting administrative operations and impacting the availability and integrity of educational data. The remote and unauthenticated nature of the attack increases the risk of widespread exploitation, especially if the system is exposed to the internet. Given the critical nature of educational data and the importance of maintaining trust in public institutions, this vulnerability could have serious operational and compliance consequences for European entities using this product.
Mitigation Recommendations
Immediate mitigation should focus on restricting access to the vulnerable endpoint by implementing network-level controls such as IP whitelisting or VPN-only access to the management interface. Input validation and parameter sanitization must be enforced on the 'fromdate' and 'todate' parameters to prevent SQL injection; this includes using prepared statements or parameterized queries in the backend code. Organizations should conduct a thorough code review of the affected module and apply secure coding practices. In the absence of an official patch, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting these parameters. Monitoring and logging access to the vulnerable endpoint should be enhanced to detect suspicious activity. Finally, organizations should plan for an update or patch deployment once available from the vendor and conduct a risk assessment to identify any potential data breaches resulting from exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-04T13:00:43.677Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6841efec182aa0cae2ed9f24
Added to database: 6/5/2025, 7:28:44 PM
Last enriched: 7/7/2025, 5:10:41 PM
Last updated: 8/17/2025, 7:04:14 PM
Views: 15
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.