Impact
An input parameter named ID in edit_course.php is not properly sanitized, allowing an attacker to inject arbitrary SQL statements. This flaw is reflected in the CWE‑74 and CWE‑89 identifiers. An attacker who successfully exploits the injection can read, modify, or delete data stored in the application’s database, potentially compromising confidential educational records and disrupting the timetabling service.
Affected Systems
The vulnerable functionality is present in SourceCodester’s Class and Exam Timetabling System, version 1.0. The issue appears to affect an unspecified internal endpoint, but the only publicly referenced product and version is the 1.0 release of that system.
Risk and Exploitability
The CVSS score of 6.9 places the vulnerability in the medium‑to‑high severity range. No EPSS data is available, and the item is not listed in the CISA KEV catalog, but the public disclosure and remote execution capability suggest that exploitation is plausible. An attacker can perform the attack over the network against any instance that accepts input for the ID parameter without additional network isolation.
OpenCVE Enrichment