Impact
A flaw in code‑projects Assessment Management 1.0 allows a malicious actor to manipulate the squestions[] argument in the /lecturer/marking-scheme.php file, resulting in an SQL injection vulnerability. The weakness stems from inadequate input validation (CWE‑74) and the use of unsanitised database queries (CWE‑89). If exploited, the attacker could read from, modify, or delete data contained within the database, potentially compromising student records, grades, or other sensitive information.
Affected Systems
The vulnerability is present in the Code‑Projects Assessment Management application, version 1.0. No additional versions or products are listed, and the affected component is the Database Query Handler that processes lecturer marking data.
Risk and Exploitability
With a CVSS score of 5.3, the exploit poses a moderate risk. The EPSS score is not available, and the vulnerability is not currently listed in CISA's KEV catalog. The attack can be initiated remotely, and a proof‑of‑concept exploit has been published, indicating that it may be actively used by threat actors.
OpenCVE Enrichment