Impact
The vulnerability resides in the preview.php file of SourceCodester Class and Exam Timetabling System 1.0, where the course_year_section argument is not properly validated. This introduces a SQL injection flaw (CWE‑74 and CWE‑89). An attacker who can reach this page remotely can inject arbitrary SQL statements, allowing unauthorized reading, modification or deletion of database contents and potentially escalating privileges within the application.
Affected Systems
The affected product is SourceCodester Class and Exam Timetabling System version 1.0. No additional affected versions or patches are listed in the current data.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, but the exploit is publicly documented and exploitable from the Internet. Given that it can be triggered remotely via an unsanitized query parameter, the risk to confidentiality and integrity of the application’s data is significant while availability is less directly impacted.
OpenCVE Enrichment