CVE-2025-11551 – This SQL injection vulnerability in Student Res... (How to Fix)

Q: What is the severity of CVE-2025-11551?

CVE-2025-11551 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in Student Result Manager 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating roll, name, or GPA parameters. This could lead to unauthorized data access, modification, or deletion. Anyone running the vulnerable version of this software is affected.

📋 TL;DR

This SQL injection vulnerability in Student Result Manager 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating roll, name, or GPA parameters. This could lead to unauthorized data access, modification, or deletion. Anyone running the vulnerable version of this software is affected.

💻 Affected Systems

Products:

Student Result Manager

Versions: 1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Database.java file in src/students directory. Any deployment using the vulnerable code is affected.

📦 What is this software?

Student Result Manager by Carmelo

View all CVEs affecting Student Result Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, or potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to student records, grade manipulation, or extraction of sensitive information from the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit details are publicly disclosed on GitHub. Attack requires understanding of SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - check vendor for updates

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for patched version. 2. Replace vulnerable Database.java file. 3. Implement parameterized queries or prepared statements. 4. Validate all user inputs.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to reject suspicious characters in roll, name, and GPA parameters

Implement regex validation: ^[a-zA-Z0-9\s.-]+$ for names, ^[0-9]+$ for roll numbers, ^[0-9.]+$ for GPA

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

Isolate the application behind a reverse proxy with SQL injection filtering
Implement strict database user permissions with least privilege access

🔍 How to Verify

Check if Vulnerable:

Review Database.java file for string concatenation in SQL queries without parameterization

Check Version:

Check application version in configuration files or about page

Verify Fix Applied:

Test with SQL injection payloads like ' OR '1'='1 in roll/name/GPA fields

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in logs
Multiple failed login attempts with SQL syntax
Unexpected database queries

Network Indicators:

HTTP requests containing SQL keywords in parameters
Unusual database connection patterns

SIEM Query:

source="web_logs" AND ("SELECT" OR "UNION" OR "OR '1'='1") AND status=200

📊 Metadata

CVE ID: CVE-2025-11551

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: October 9, 2025

Last Updated: October 20, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/lakshayyverma/CVE-Discovery/blob/main/Student%20Result%20Manager.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.327710 Permissions Required,VDB Entry
https://vuldb.com/?id.327710 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.670256 Third Party Advisory,VDB Entry
https://github.com/lakshayyverma/CVE-Discovery/blob/main/Student%20Result%20Manager.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11551, you might also want to check these: