Listen to this Post
The vulnerability CVE-2025-13325 is an SQL injection flaw within the `enrollment_edit1.php` component of Student Information System 1.0. The issue stems from improper neutralization of special elements used in an SQL command via the `en_id` parameter. An attacker can send a crafted HTTP request containing malicious SQL code within this parameter. Because the application does not adequately sanitize user input before incorporating it into an SQL query, the malicious payload is executed by the backend database. This allows a remote, authenticated attacker to read, modify, or delete sensitive information from the database, such as student records or user credentials, without the need for any user interaction beyond the initial request.
Platform: Student Information System
Version: 1.0
Vulnerability: SQL Injection
Severity: Medium
date: 11/17/2025
Prediction: Patch expected 01/15/2026
What Undercode Say:
`curl -X GET “http://target/enrollment_edit1.php?en_id=1′ UNION SELECT 1,user(),version()– -“`
`sqlmap -u “http://target/enrollment_edit1.php?en_id=1” –risk=3 –level=5`
How Exploit:
Remote attackers submit malicious SQL queries via the `en_id` GET parameter to extract database information, including admin credentials and sensitive student data, without authorization.
Protection from this CVE:
Parameterized queries.
Input validation.
Web Application Firewall.
Impact:
Unauthorized data access.
Data manipulation.
Information disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
