CVE-2025-10419 – This SQL injection vulnerability in SourceCodes... (How to Fix)

Q: What is the severity of CVE-2025-10419?

CVE-2025-10419 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in SourceCodester Student Grading System 1.0 allows attackers to manipulate database queries through the 'sy' parameter in /del_promote.php. Attackers can potentially read, modify, or delete sensitive student grading data. The vulnerability affects all deployments of this specific software version.

📋 TL;DR

This SQL injection vulnerability in SourceCodester Student Grading System 1.0 allows attackers to manipulate database queries through the 'sy' parameter in /del_promote.php. Attackers can potentially read, modify, or delete sensitive student grading data. The vulnerability affects all deployments of this specific software version.

💻 Affected Systems

Products:

SourceCodester Student Grading System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable by default.

📦 What is this software?

Student Grading System by Oretnom23

View all CVEs affecting Student Grading System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or system takeover via SQL injection to execute arbitrary commands.

🟠

Likely Case

Unauthorized access to sensitive student records, grade manipulation, or extraction of database credentials.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If available, download and install the patched version. 3. Replace vulnerable /del_promote.php file with patched version.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for the 'sy' parameter to only accept expected values.

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting /del_promote.php.

🧯 If You Can't Patch

Restrict access to /del_promote.php using authentication and authorization controls.
Implement network segmentation to isolate the grading system from sensitive databases.

🔍 How to Verify

Check if Vulnerable:

Test /del_promote.php endpoint with SQL injection payloads in the 'sy' parameter.

Check Version:

Check software version in admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that input validation is properly implemented.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts followed by /del_promote.php access

Network Indicators:

SQL injection patterns in HTTP requests to /del_promote.php

SIEM Query:

source="web_logs" AND uri="/del_promote.php" AND (request LIKE "%sy=%' OR%" OR request LIKE "%sy=%--%" OR request LIKE "%sy=%/*%*")

📊 Metadata

CVE ID: CVE-2025-10419

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: September 15, 2025

Last Updated: September 19, 2025

🔗 References

https://github.com/qcycop0101-hash/CVE/issues/7 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.323853 Permissions Required
https://vuldb.com/?id.323853 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.646921 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10419, you might also want to check these: