Impact
The issue resides in edit_course1.php, where the ID parameter is used in a SQL query without proper sanitization, resulting in a classic SQL injection vulnerability. Attackers can manipulate the ID value to inject arbitrary SQL code, potentially reading, modifying, or deleting data from the underlying database. This could expose sensitive user information, compromise the integrity of the timetabling data, or provide a foothold for further attacks.
Affected Systems
SourceCodester Class and Exam Timetabling System, version 1.0 (the affected file is edit_course1.php within that release). No other versions or products are explicitly mentioned.
Risk and Exploitability
A CVSS score of 6.9 indicates moderate to high risk. The EPSS score is < 1%, indicating a very low but nonzero probability of exploitation. The vulnerability has been publicly disclosed and is not listed in the CISA KEV catalog, suggesting no large-scale public exploitation yet. It can be launched from the internet via the edit_course1.php endpoint using a crafted ID value; no authentication is required in the description, implying any user with access to the endpoint could potentially exploit it.
OpenCVE Enrichment