CVE Alert: CVE-2025-10062 – itsourcecode – Student Information Management System
CVE-2025-10062
HIGHNo exploitation known
A vulnerability was determined in itsourcecode Student Information Management System 1.0. This affects an unknown part of the file /admin/login.php. Executing manipulation of the argument uname can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
CVSS v3.1 (7.3)
Vendor
itsourcecode
Product
Student Information Management System
Versions
1.0
CWE
CWE-89, SQL Injection
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Published
2025-09-06T22:32:06.241Z
Updated
2025-09-06T22:32:06.241Z
References
AI Summary Analysis
Risk verdict: High risk with remote, unauthenticated SQL injection and publicly disclosed exploit; remediation should be pursued immediately.
Why this matters: An attacker can bypass authentication, access or exfiltrate sensitive student records, and potentially modify data. The combination of a web-facing login endpoint and known exploitation elevates the threat to regulatory and reputational risk for affected organisations.
Most likely attack path: An attacker sends crafted requests to the vulnerable login page, manipulating the uname parameter to trigger SQL injection without any user interaction or credentials. With network access and no privileges required, automated tools could enumerate data or compromise an admin-like account, enabling broader breach or persistence within the app’s data layer.
Who is most exposed: Deployments hosting web-based student information systems with publicly reachable admin interfaces are most at risk, especially in educational institutions that expose the login page to the internet or rely on default credentials and weak input handling.
Detection ideas:
- Logs show suspicious uname values and SQL error patterns from login.php
- WAF/IDS alerts for SQLi indicators targeting the login endpoint
- Spike in failed login attempts or unusual data transfer from the login process
- Application logs revealing database error messages or unusual query strings
Mitigation and prioritisation:
- Apply a code fix or vendor patch to use parameterised queries; implement input validation/escaping.
- If patching is delayed, implement a compensating control: restrict access to the login page, enable WAF rules for SQLi, and enforce IP allowlisting.
- Rotate DB credentials and tighten DB user privileges; monitor for anomalous queries.
- Change-management: test in staging, schedule a security window, verify; ensure backups before patching.
- If KEV true or EPSS ≥ 0.5, treat as priority 1. If those indicators are absent, proceed with high-priority remediation and monitoring.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
