CVE Alert: CVE-2025-10479 - SourceCodester - Online Student File Management System

CVE-2025-10479

HIGHNo exploitation known

A security flaw has been discovered in SourceCodester Online Student File Management System 1.0. The impacted element is an unknown function of the file /index.php. Performing manipulation of the argument stud_no results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.

CVSS v3.1 (7.3)

Vendor

SourceCodester

Product

Online Student File Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-15T21:02:07.501Z

Updated

2025-09-15T21:02:07.501Z

References

https://vuldb.com/?id.323914

https://vuldb.com/?ctiid.323914

https://vuldb.com/?submit.648520

https://github.com/ganzhi-qcy/cve/issues/25

https://www.sourcecodester.com/

AI Summary Analysis

Risk verdict

High risk: publicly released exploit and network-accessible SQL injection with no authentication makes remote compromise plausible.

Why this matters

An attacker can potentially exfiltrate or modify data due to a direct database query from a web endpoint. The lack of user interaction and remote exposure raise the likelihood of automated scans and widespread attempts, with potential downstream impact on integrity, confidentiality, and availability of the affected data.

Most likely attack path

Exploitation requires no user credentials and relies on input to a web-facing parameter. An attacker can inject into the stud_no parameter via the index.php endpoint, triggering a database query manipulation that may disclose or alter data. Because AV is network-based and PR is none, a successful chain can occur with minimal preconditions, enabling rapid impact and possible lateral movement within the web app’s data layer if privileges permit.

Who is most exposed

Publicly reachable installations running the described system, typical in educational or small-to-medium hosting environments, especially where default or weak input handling and database privileges exist.

Detection ideas

Look for abnormal SQL error messages in web and application logs.
Monitor for unusual or numerous requests to index.php with crafted stud_no parameters.
Detect repeated failed or successful SQL queries suggesting data leakage attempts.
Correlate spikes in DB latency with specific URIs or query patterns.
Inspect WAF/logs for known SQLi payload signatures.

Mitigation and prioritisation

Apply a patch or upgrade when vendor fixes are available; verify in staging first.
Enforce parameterised queries/prepared statements and strict input validation.
Implement least-privilege database accounts and disable unnecessary DB access from the web tier.
Deploy a web application firewall with SQLi signatures and enable runtime monitoring.
Change-management: test changes in a non-production environment; plan rapid patch windows if KEV true or EPSS ≥ 0.5. If either is confirmed, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-10479, online-student-file-management-system, OSINT, sourcecodester, threatintel