CVE Alert: CVE-2025-12257 – SourceCodester – Online Student Result System
CVE-2025-12257
A security vulnerability has been detected in SourceCodester Online Student Result System 1.0. This issue affects some unknown processing of the file /view_result.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
AI Summary Analysis
Risk verdict
High risk: remote SQL injection with a publicly disclosed PoC makes exploitation feasible without authentication.
Why this matters
Successful injection could disclose or modify student data and disrupt result retrieval, affecting trust and regulatory compliance. The vulnerable flow sits in a web-facing component, so an attacker could automate access at scale and threaten data integrity and service availability.
Most likely attack path
An attacker directly targets the vulnerable ID parameter in view_result.php over the internet, exploiting lack of authentication. With AV:N, PR:N, UI:N, the attack requires no user interaction and can be automated, giving opportunistic actors potential data leakage or modification and possible footholds for broader DB access given typical web-app DB privileges.
Who is most exposed
Institutions running SourceCodester Online Student Result System 1.0 in publicly accessible hosting environments or shared hosting, common in small colleges or schools, are highest risk. Poorly configured DB access or default project settings amplify exposure.
Detection ideas
- Monitor for SQL keywords in normalised query parameters (ID) and unusual error messages.
- Detect automated requests lacking authentication attempting to access view_result.php.
- Look for anomalous DB errors or increased latency on the app server.
- SIEM alerts for unexpected data exfiltration patterns or repeated failed queries.
- Web application firewall logs showing SQLi-type payloads targeting the ID parameter.
Mitigation and prioritisation
- Apply vendor patch or upgrade to fixed version; if unavailable, implement a strong input validation and parameterised queries.
- Enforce least-privilege DB accounts for the web app; separate read/write rights as appropriate.
- Disable detailed error reporting and standardise generic error responses.
- Implement WAF rules to block SQLi patterns in ID parameters; monitor for evasion attempts.
- Change-management: test patch in staging, then deploy with monitoring.
- If KEV present or EPSS ≥ 0.5, treat as priority 1; otherwise align with high-risk remediation windows.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
