CVE Alert: CVE-2025-11601 - SourceCodester - Online Student Result System

CVE-2025-11601

HIGHNo exploitation known

A vulnerability was detected in SourceCodester Online Student Result System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.

CVSS v3.1 (7.3)

Vendor

SourceCodester

Product

Online Student Result System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-11T13:02:06.208Z

Updated

2025-10-11T13:02:06.208Z

References

https://vuldb.com/?id.327922

https://vuldb.com/?ctiid.327922

https://vuldb.com/?submit.671918

https://github.com/Cloverhyl/CVE/issues/1

https://www.sourcecodester.com/

AI Summary Analysis

Risk verdict: High risk of remote SQL injection via the login endpoint, with a publicly available exploit increasing the likelihood of rapid exploitation.

Why this matters: An attacker can bypass authentication or manipulate data in the user/login flow, potentially exposing student records or altering results. The combination of remote access, no user interaction, and volatile DB impact raises the likelihood of data leakage, integrity compromise, or downtime for the system.

Most likely attack path: Attacker targets the login.php Username parameter over the network, sending crafted input to trigger a classic SQLi. With no authentication required, the attacker can run arbitrary queries against the database, potentially exfiltrating or altering data and then moving laterally within the app’s backend if privileges allow.

Who is most exposed: Organisations running SourceCodester Online Student Result System v1.0, especially educational institutions or hosting providers deploying the vendor’s demo/legacy builds, are at elevated risk due to exposed login functionality and likely outdated code with limited input sanitisation.

Detection ideas:

Unusual or malformed Username input patterns in web logs.
SQL error messages or database errors appearing in application or server logs.
Anomalous authentication attempts from unknown IPs targeting login.php.
WAF alerts for SQLi-like payloads or query-like anomalies.
Sudden spikes in data access or export activity from student records.

Mitigation and prioritisation:

Apply vendor patch or upgrade to a fixed version; if unavailable, implement robust parameterised queries and prepared statements in login logic.
Harden input validation on Username; implement least-privilege DB user for the application.
Enable WAF rules specific to SQLi payloads and monitor for SQL error signatures.
Disconnect or restrict public exposure of the login endpoint until fixed; implement compensating controls (logging, alerting) and routine credential monitoring.
Plan a staged remediation with testing in a non-production environment; ensure change management sign-off.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-11601, online-student-result-system, OSINT, sourcecodester, threatintel