Impact
A flaw exists in preview6.php of the Class and Exam Timetabling System where the course_year_section parameter is inserted directly into an SQL statement without sanitization, allowing an attacker to inject arbitrary SQL code. This can lead to unauthorized reading or modification of database contents, compromising both confidentiality and integrity of the application data. The description does not specify whether authentication is required to reach preview6.php, so the authentication requirement remains unknown.
Affected Systems
The vulnerability affects SourceCodester’s Class and Exam Timetabling System, version 1.0, through its preview6.php component. Any deployment that includes this default file and exposes it to external users is susceptible; no other versions have been documented as affected.
Risk and Exploitability
The CVSS score of 6.9 indicates a moderate severity level. The EPSS score of <1% reflects a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote, as an external user can craft a request to preview6.php and supply a malicious course_year_section value to perform the injection.
OpenCVE Enrichment