Impact
The vulnerability in the preview7.php page of SourceCodester Class and Exam Timetabling System allows an attacker to inject arbitrary SQL through the course_year_section argument. The flaw is due to unsanitized input handling, leading to CWE-89 SQL injection and related CWE-74 field manipulation. This permits unauthorized reading or modification of database contents, potentially compromising student, course, and scheduling data.
Affected Systems
Affected systems include any installation of SourceCodester Class and Exam Timetabling System, specifically the 1.0/7.php component referenced in the advisory. Versions are not distinguished beyond the product name; any deployment that exposes preview7.php is at risk if the course_year_section parameter remains unfiltered. The vulnerability description identifies a single entry point but no version constraints are listed.
Risk and Exploitability
The CVSS score of 6.9 indicates a medium‑high severity, while the EPSS score is not available, so precise exploitation likelihood cannot be assessed. The vulnerability can be leveraged remotely by supplying a malicious course_year_section value. Because it is publicly disclosed, anyone with network access to the application can potentially exploit it. The vulnerability is not currently in CISA's KEV catalog.
OpenCVE Enrichment