CVE Alert: CVE-2025-9788 – SourceCodester – School Log Management System
CVE-2025-9788
A vulnerability was determined in SourceCodester/Campcodes School Log Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_class.php. Executing manipulation of the argument id_no can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
AI Summary Analysis
Risk verdict
High risk: a publicly disclosed, network‑exposed SQL injection in the admin_class.php endpoint could be exploited remotely without authentication; remediation should be treated as urgent.
Why this matters
Impact on data confidentiality and integrity includes potential exposure of student records and school data, plus possible data tampering or loss of audit traceability. The attacker understands the app’s database queries and can automate data exfiltration or modification without user interaction, increasing the likelihood of rapid impact across records.
Most likely attack path
An attacker sends crafted id_no values over the network to /admin/admin_class.php; no user credentials or interaction are required. The vulnerability’s AV:N, PR:N, UI:N, combined with remote access, enables direct SQL injection and potential data disclosure or modification, with limited preconditions.
Who is most exposed
Public-facing installations of SourceCodester Campcodes School Log Management System (in education sectors) that expose the admin interface over the internet are at highest risk, especially where default access controls are weak or the admin path is not blocked.
Detection ideas
- Web server and application logs showing repeated, anomalous id_no payloads targeting admin_class.php.
- SQL error messages or unusual database responses tied to id_no requests.
- Spikes in admin-related endpoint traffic or unusual data volumes from the same source.
- Indicators in DB logs of unexpected queries or table access patterns.
- WAF alerts for SQL injection signatures targeting the admin path.
Mitigation and prioritisation
- Apply patched version or hotfix; implement parameterised queries/prepared statements for id_no handling.
- Enforce least-privilege DB credentials for the web app; restrict admin endpoint access (IP allowlists, auth, MFA).
- Add input validation and output escaping; consider replacing dynamic SQL with safe ORM/ORM-like interfaces.
- Enable robust logging and alerting for all admin endpoints; ensure rapid change-management and testing in staging before production.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
