CVE-2025-13122 – This SQL injection vulnerability in SourceCodes... (How to Fix)

Q: What is the severity of CVE-2025-13122?

CVE-2025-13122 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in SourceCodester Patients Waiting Area Queue Management System 1.0 allows attackers to manipulate database queries through the appointmentID parameter. Attackers can potentially access, modify, or delete patient appointment data. Organizations using this specific version of the queue management system are affected.

📋 TL;DR

This SQL injection vulnerability in SourceCodester Patients Waiting Area Queue Management System 1.0 allows attackers to manipulate database queries through the appointmentID parameter. Attackers can potentially access, modify, or delete patient appointment data. Organizations using this specific version of the queue management system are affected.

💻 Affected Systems

Products:

SourceCodester Patients Waiting Area Queue Management System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PHP environment with database connectivity. The vulnerability exists in the default installation.

📦 What is this software?

Patients Waiting Area Queue Management System by Pamzey

View all CVEs affecting Patients Waiting Area Queue Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including patient data exfiltration, system takeover via SQL injection to RCE, and potential destruction of healthcare appointment records.

🟠

Likely Case

Unauthorized access to patient appointment data, manipulation of queue information, and potential data leakage affecting patient privacy.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Remote exploitation is possible without authentication. The exploit is publicly available and SQL injection techniques are well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. If patch available, download and apply. 3. Test functionality after patching. 4. Monitor for any issues.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for appointmentID parameter to only accept expected formats

Modify /php/api_patient_checkin.php to validate appointmentID as integer using is_numeric() or filter_var()

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint

Add WAF rule: Block requests to /php/api_patient_checkin.php with SQL keywords in appointmentID parameter

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement network segmentation to limit database access from the web application server

🔍 How to Verify

Check if Vulnerable:

Test the /php/api_patient_checkin.php endpoint with SQL injection payloads in appointmentID parameter

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Attempt SQL injection tests after implementing fixes and verify they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or SQL errors in application logs
Requests to /php/api_patient_checkin.php with suspicious parameters

Network Indicators:

Unusual database connections from web server
SQL error messages in HTTP responses
Patterns of SQL keywords in HTTP requests

SIEM Query:

source="web_logs" AND uri="/php/api_patient_checkin.php" AND (appointmentID CONTAINS "'" OR appointmentID CONTAINS "UNION" OR appointmentID CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2025-13122

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: November 13, 2025

Last Updated: November 17, 2025

🔗 References

https://vuldb.com/?ctiid.332350 Permissions Required,VDB Entry
https://vuldb.com/?id.332350 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.683789 Exploit,Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13122, you might also want to check these: