CVE-2025-8988 is a SQL Injection vulnerability identified in SourceCodester COVID 19 Testing Management System version 1.0. The vulnerability exists in the /bwdates-report-result.php file, specifically through the manipulation of the 'fromdate' parameter. An attacker can remotely exploit this flaw without any authentication or user interaction, by injecting malicious SQL code into the 'fromdate' argument. This can lead to unauthorized access to the backend database, allowing attackers to read, modify, or delete sensitive data related to COVID-19 testing records. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity, reflecting its network attack vector, low attack complexity, and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is limited but non-negligible, as the vulnerability allows partial compromise of the database content. No official patches have been released yet, and although no known exploits are reported in the wild, the public disclosure of the exploit code increases the risk of exploitation. The system is likely used by healthcare providers or testing centers managing COVID-19 test data, making the confidentiality and integrity of patient data critical.

For European organizations, particularly healthcare providers and public health authorities using the SourceCodester COVID 19 Testing Management System, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive health data. Exploitation could lead to unauthorized disclosure of personal health information, undermining patient privacy and violating GDPR regulations. Data manipulation could also affect the accuracy of COVID-19 testing reports, potentially impacting public health decisions and responses. Additionally, compromised systems could be leveraged for further attacks within healthcare networks, increasing the overall risk exposure. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the scope of impact is somewhat limited to the database managed by this specific application, but the sensitive nature of the data elevates the importance of timely mitigation.

European organizations should immediately conduct an audit to identify any deployments of SourceCodester COVID 19 Testing Management System version 1.0. Until an official patch is released, implement strict input validation and sanitization on the 'fromdate' parameter at the web application firewall (WAF) or reverse proxy level to block SQL injection patterns. Employ parameterized queries or prepared statements in the application code if source code access is available. Restrict database user permissions to the minimum necessary to limit the impact of potential injection. Monitor logs for suspicious query patterns or unusual database access. Isolate the affected system from critical network segments to prevent lateral movement. Additionally, ensure that backups of the database are up to date and tested for restoration to recover from potential data tampering. Organizations should also prepare to apply patches promptly once available and consider alternative secure COVID-19 management solutions if remediation is delayed.