CVE-2025-9689
BaseFortify
Publication date: 2025-08-30
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| donbermoy | advanced_school_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to extract sensitive information, modify data without authorization, or disrupt the availability of the system. Since the SQL injection can be performed remotely and with authentication, it poses a significant risk to the confidentiality, integrity, and availability of your data and services. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable endpoints with SQL injection payloads, especially targeting the 'q' parameter in /index.php/stock/item_select and the 'id' parameter in /index.php/stock/vendordetails. Example detection commands include sending time-based blind SQL injection payloads and observing response delays, such as: curl "http://<target-ip>/index.php/stock/item_select?q=1 AND (SELECT 5294 FROM (SELECT(SLEEP(5)))Zzmy)" curl "http://<target-ip>/index.php/stock/vendordetails?id=1 AND (SELECT 7412 FROM (SELECT(SLEEP(5)))mcvs)" If the server response is delayed by approximately 5 seconds, it indicates the presence of the SQL injection vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Use prepared statements with parameterized queries to prevent SQL injection. 2. Implement strict input validation by enforcing expected data types and sanitizing inputs. 3. Apply the principle of least privilege by restricting database user permissions to only necessary actions. 4. Deploy a Web Application Firewall (WAF) to detect and block common SQL injection patterns as an additional defense layer. Since no known countermeasures or patches are available, consider replacing the affected product with a secure alternative if possible. [2, 3]
Can you explain this vulnerability to me?
CVE-2025-9689 is a SQL injection vulnerability in the SourceCodester Advanced School Management System version 1.0. It occurs because certain application functions, especially the /index.php/stock/item_select endpoint's 'q' parameter, do not properly sanitize user input. This allows an attacker, typically an authenticated one, to inject malicious SQL code into database queries. Exploiting this flaw can lead to unauthorized access, modification, or disruption of the system's database. [1, 2, 3]