Login Sign Up

CVE-2025-9664

6.3 MEDIUM
SQL Injection

📋 TL;DR

CVE-2025-9664 is an SQL injection vulnerability in Simple Grading System 1.0's admin panel that allows attackers to manipulate database queries through the /add_student_grade.php endpoint. This affects all organizations using Simple Grading System 1.0 with the vulnerable component exposed. Attackers can potentially access, modify, or delete sensitive student and administrative data.

💻 Affected Systems

Products:
  • Simple Grading System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the admin panel component specifically; requires admin panel access to exploit.

📦 What is this software?

Simple Grading System by Fabian

View all CVEs affecting Simple Grading System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection escalation techniques.

🟠

Likely Case

Unauthorized access to student records, grade manipulation, or extraction of sensitive administrative credentials from the database.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, restricting attackers to read-only access of non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin panel access; SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to a supported alternative or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries in /add_student_grade.php

Edit PHP file to use prepared statements with PDO or mysqli

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

Configure WAF rules to block SQL injection patterns

🧯 If You Can't Patch

  • Isolate the Simple Grading System behind a VPN or internal network only
  • Implement strict access controls and monitor admin panel activity logs

🔍 How to Verify

Check if Vulnerable:

Test /add_student_grade.php endpoint with SQL injection payloads in the 'Add' parameter

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in application logs
  • Multiple failed login attempts to admin panel
  • Unexpected database access patterns

Network Indicators:

  • HTTP requests to /add_student_grade.php with SQL keywords in parameters
  • Unusual outbound database connections

SIEM Query:

source="web_logs" AND uri="/add_student_grade.php" AND (param="Add" AND value CONTAINS "UNION" OR "SELECT" OR "INSERT" OR "DELETE")

📊 Metadata

CVE ID: CVE-2025-9664
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.03% exploit probability (7.1th percentile)
Published: August 29, 2025
Last Updated: September 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9664, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)