Impact
A SQL injection flaw exists in the SourceCodester Class and Exam Timetabling System version 1.0, triggered by manipulating the sy argument in archive.php. The vulnerability allows an attacker to inject arbitrary SQL code into the database query that the system executes, potentially leading to unauthorized data exposure, data modification, or corruption. The flaw is reported as exploitable remotely, and a public exploit has already been observed.
Affected Systems
The affected product is SourceCodester Class and Exam Timetabling System, version 1.0, available at sourcecodester.com. No additional vendor‑specified affected versions are listed.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity, while the EPSS score is currently unavailable and the risk is not listed in the CISA KEV catalog. Because the attack vector is remote and the exploit code is publicly distributed, attackers can leverage the injection without needing privileged local access. The lack of input validation and reliance on raw query concatenation align with CWE‑74 and CWE‑89 weaknesses, increasing the likelihood that a successful exploit will lead to data compromise.
OpenCVE Enrichment