CVE-2025-9788

Vulnerability

Analysis

CVE-2025-9788 describes a SQL injection vulnerability in the SourceCodester/Campcodes School Log Management System version 1.0. The flaw resides in the /admin/admin_class.php file within the admin directory. The root cause is the lack of proper input sanitization or validation for the id_no` parameter, which is directly concatenated into SQL queries. This allows an attacker to inject malicious SQL code through this parameter [1].

Exploitation

The attack can be launched remotely and does not require authentication or authorization [1]. The vulnerable parameter is id_no, which is sent via a POST request (multipart form data). The publicly disclosed proof-of-concept demonstrates a time-based blind SQL injection technique using the MySQL SLEEP() function, confirming that the injection is exploitable without any prior login [1].

Impact

Successful exploitation enables an attacker to perform unauthorized database operations, including reading, modifying, or deleting sensitive data. This could lead to full database compromise, exposure of user credentials or logs, and potential escalation to broader system control. The impact is severe as it threatens data integrity and system confidentiality [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. The product appears to be a legacy or unmaintained project. Users are advised to apply input validation and parameterized queries to the affected file, or discontinue use of the system if possible. The vulnerability has been publicly disclosed, increasing the risk of exploitation [1].