CVE-2025-11601 – This SQL injection vulnerability in SourceCodes... (How to Fix)

Q: What is the severity of CVE-2025-11601?

CVE-2025-11601 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in SourceCodester Online Student Result System 1.0 allows attackers to manipulate database queries through the Username parameter in /login.php. Remote attackers can potentially access, modify, or delete student result data. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in SourceCodester Online Student Result System 1.0 allows attackers to manipulate database queries through the Username parameter in /login.php. Remote attackers can potentially access, modify, or delete student result data. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

SourceCodester Online Student Result System

Versions: 1.0

Operating Systems: Any OS running PHP/MySQL web server

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Online Student Result System by Oretnom23

View all CVEs affecting Online Student Result System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including student records, grades, personal information, and potential system takeover via privilege escalation.

🟠

Likely Case

Unauthorized access to student records and grades, data exfiltration, and potential manipulation of academic results.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or failed login attempts visible.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing instances extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit but require network access; risk depends on internal security controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on GitHub; SQL injection via login form requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify login.php to use prepared statements and validate/sanitize Username input

Replace raw SQL queries with PDO or mysqli prepared statements in login.php

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns in login requests

Add WAF rule: Detect and block SQL keywords in Username parameter

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation and monitor for unusual database queries

🔍 How to Verify

Check if Vulnerable:

Test login.php with SQL injection payloads like ' OR '1'='1 in Username field

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Test with same payloads; should receive generic error or fail authentication without SQL errors

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple failed login attempts with SQL syntax
Database query errors containing Username parameter

Network Indicators:

HTTP POST requests to /login.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/login.php" AND (message="sql" OR message="syntax" OR message="database")

📊 Metadata

CVE ID: CVE-2025-11601

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (15.4th percentile)

Published: October 11, 2025

Last Updated: October 20, 2025

🔗 References

https://github.com/Cloverhyl/CVE/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.327922 Permissions Required,VDB Entry
https://vuldb.com/?id.327922 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.671918 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product
https://github.com/Cloverhyl/CVE/issues/1 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11601, you might also want to check these: