CVE-2025-2662 – This critical SQL injection vulnerability in Pr... (How to Fix)

Q: What is the severity of CVE-2025-2662?

CVE-2025-2662 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in Project Worlds Online Time Table Generator 1.0 allows attackers to execute arbitrary SQL commands via the 'course' parameter in student/studentdashboard.php. Organizations using this software are affected, particularly educational institutions that deploy it for timetable management.

📋 TL;DR

This critical SQL injection vulnerability in Project Worlds Online Time Table Generator 1.0 allows attackers to execute arbitrary SQL commands via the 'course' parameter in student/studentdashboard.php. Organizations using this software are affected, particularly educational institutions that deploy it for timetable management.

💻 Affected Systems

Products:

Project Worlds Online Time Table Generator

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with student/studentdashboard.php accessible.

📦 What is this software?

Online Time Table Generator by Projectworlds

View all CVEs affecting Online Time Table Generator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to student/course data, grade manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available and SQL injection is well-understood by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to studentdashboard.php to sanitize the 'course' parameter

Edit student/studentdashboard.php to add input validation before SQL queries

Web Application Firewall Rule

all

Block SQL injection patterns targeting the course parameter

Configure WAF to block requests containing SQL keywords in course parameter

🧯 If You Can't Patch

Isolate the application behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from the application server

🔍 How to Verify

Check if Vulnerable:

Test the course parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts from single IP
Unexpected database queries

Network Indicators:

HTTP requests with SQL keywords in course parameter
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (url="*studentdashboard.php*" AND (param="*course=*OR*" OR param="*course=*UNION*" OR param="*course=*SELECT*"))

📊 Metadata

CVE ID: CVE-2025-2662

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.12% exploit probability (31.3th percentile)

Published: March 23, 2025

Last Updated: July 9, 2025

🔗 References

https://github.com/ydnd/cve/issues/10 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.300678 Permissions Required,VDB Entry
https://vuldb.com/?id.300678 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.520503 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2662, you might also want to check these: