CVE-2025-10597
📋 TL;DR
This SQL injection vulnerability in kidaze CourseSelectionSystem allows remote attackers to execute arbitrary SQL commands by manipulating the 'cname' parameter in the COUNT2.php file. This affects all deployments of the software up to commit 42cd892b40a18d50bd4ed1905fa89f939173a464. Organizations using this educational software are at risk of data theft, modification, or system compromise.
💻 Affected Systems
- kidaze CourseSelectionSystem
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized access to sensitive student/course data, grade manipulation, or privilege escalation within the application.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permissions restricting damage scope.
🎯 Exploit Status
SQL injection payloads are publicly available in GitHub repositories. Remote exploitation requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - rolling release model
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Update to latest version after commit 42cd892b40a18d50bd4ed1905fa89f939173a464
2. Apply input validation and parameterized queries to COUNT2.php
3. Review all similar endpoints for SQL injection vulnerabilities
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns targeting the cname parameter
Input Validation Filter
allAdd input validation to sanitize cname parameter before processing
// PHP example: filter_var($_GET['cname'], FILTER_SANITIZE_STRING);
🧯 If You Can't Patch
- Isolate the CourseSelectionSystem behind a reverse proxy with strict input validation
- Implement database user with minimal permissions (read-only if possible) for the application
🔍 How to Verify
Check if Vulnerable:
Test the /Profilers/PriProfile/COUNT2.php endpoint with SQL injection payloads in the cname parameterCheck Version:
Check git commit hash: git log --oneline -1Verify Fix Applied:
Verify that SQL injection attempts no longer succeed and parameterized queries are implemented📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts from single IP
- Requests to COUNT2.php with suspicious cname parameters
Network Indicators:
- HTTP requests containing SQL keywords (UNION, SELECT, INSERT) in URL parameters
- Abnormal traffic patterns to the vulnerable endpoint
SIEM Query:
source="web_logs" AND uri="/Profilers/PriProfile/COUNT2.php" AND (cname="*UNION*" OR cname="*SELECT*" OR cname="*INSERT*")