Impact
The vulnerability is a SQL injection in code-projects Assessment Management 1.0 caused by unsanitised handling of the smarksrange[] argument in marking-scheme.php. An attacker can manipulate this parameter to inject arbitrary SQL, potentially reading, modifying or deleting database content. The resulting impact is loss of confidentiality, integrity, and possibly availability, dependent on database user privileges.
Affected Systems
The affected system is code-projects Assessment Management version 1.0, deployed by users of the platform. The flaw resides in the /lecturer/marking-scheme.php script on the web server. All installations of the application that use the default database connection are vulnerable.
Risk and Exploitability
The CVSS base score of 5.3 indicates medium severity. The vulnerability is exploitable remotely via HTTP, and public exploits are documented. The EPSS score is not available, and the vulnerability is not yet listed in CISA KEV, but the known public exploit implies a realistic threat. Attackers may initiate the payload by crafting a request that includes malicious SQL in the smarksrange[] parameter. Authentication or privileged access requirements are not specified, so general availability remains a concern.
OpenCVE Enrichment