Skip to main content
CVE Vulnerability Database

CVE-2025-9665: Simple Grading System SQL Injection Flaw

CVE-2025-9665 is an SQL injection vulnerability in Fabian Simple Grading System 1.0 affecting the Admin Panel's edit_student.php file. Attackers can exploit the ID parameter remotely. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-9665 Overview

CVE-2025-9665 is a SQL injection vulnerability in code-projects Simple Grading System 1.0. The flaw exists in the /edit_student.php script within the Admin Panel component. Attackers can manipulate the ID parameter to inject arbitrary SQL statements into backend queries. The vulnerability is remotely exploitable over the network and requires low-privilege authentication. Public exploit details have been disclosed, increasing the risk of opportunistic exploitation against exposed installations.

Critical Impact

Authenticated attackers can inject SQL through the ID parameter of /edit_student.php, allowing unauthorized read or modification of student grading records.

Affected Products

  • Fabian Simple Grading System 1.0
  • Component: Admin Panel (/edit_student.php)
  • CPE: cpe:2.3:a:fabian:simple_grading_system:1.0

Discovery Timeline

  • 2025-08-29 - CVE-2025-9665 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9665

Vulnerability Analysis

The vulnerability is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command and [CWE-74] Improper Neutralization of Special Elements in Output Used by a Downstream Component. The edit_student.php endpoint accepts an ID argument from HTTP request input and concatenates it directly into a SQL query without parameterization or input validation.

An authenticated user with access to the Admin Panel can supply crafted input to the ID parameter. The injected payload is interpreted by the backend database engine as part of the query syntax. This allows the attacker to alter query logic, retrieve unauthorized rows, or modify data in the underlying database.

Because the exploit has been published, attackers can adapt existing payloads with minimal effort. The vulnerability affects confidentiality, integrity, and availability of the application's student records.

Root Cause

The root cause is the absence of prepared statements or input sanitization on the ID parameter passed to edit_student.php. The application concatenates user-supplied data directly into SQL syntax instead of binding parameters. This breaks the separation between query structure and data values.

Attack Vector

The attack is initiated remotely over the network against an exposed instance of the Simple Grading System. The attacker must hold a valid low-privilege account on the Admin Panel. They submit an HTTP request to /edit_student.php with a malicious value in the ID parameter. The backend database executes the resulting tampered query, returning data or applying changes outside the application's intended scope.

A technical walkthrough of the exploitation steps is described in the third-party submission referenced by VulDB #321872 and the Yuque Document on Security.

Detection Methods for CVE-2025-9665

Indicators of Compromise

  • HTTP requests to /edit_student.php containing SQL meta-characters such as ', --, UNION, SELECT, or OR 1=1 inside the ID parameter.
  • Database error messages or stack traces returned to the client following requests to edit_student.php.
  • Unexpected modifications or deletions in student records authored from administrator sessions.

Detection Strategies

  • Inspect web server access logs for non-numeric or URL-encoded payloads supplied to the ID query string parameter.
  • Deploy web application firewall (WAF) rules that flag classical SQL injection signatures targeting PHP applications.
  • Correlate authenticated admin session activity with database query anomalies, such as long-running queries or queries returning unusually large result sets.

Monitoring Recommendations

  • Enable verbose query logging on the MySQL or MariaDB instance backing the application and alert on queries referencing the students table outside expected workflows.
  • Monitor failed login attempts and brute-force activity against the Admin Panel, since exploitation requires authenticated access.
  • Track outbound network connections from the web server, which could indicate post-exploitation data exfiltration.

How to Mitigate CVE-2025-9665

Immediate Actions Required

  • Restrict network exposure of the Simple Grading System Admin Panel to trusted internal networks or VPN access only.
  • Rotate all administrative credentials and audit existing accounts for unauthorized additions.
  • Review the students database table for unauthorized modifications and restore from a known-good backup if tampering is identified.

Patch Information

No vendor patch has been published for Simple Grading System 1.0 at the time of writing. Refer to the Code Projects Resource Hub for any future updates from the maintainer. Until a fix is released, organizations should treat the application as vulnerable and apply the workarounds below.

Workarounds

  • Modify edit_student.php to use parameterized queries via PDO or mysqli prepared statements, binding the ID value as an integer.
  • Add server-side input validation that rejects any ID value that is not a positive integer before the request reaches the database layer.
  • Deploy a WAF in front of the application with rules blocking SQL injection patterns against the /edit_student.php endpoint.
  • Limit database account privileges used by the application to the minimum required for normal operation, eliminating DROP, ALTER, and cross-database read rights.
bash
# Example WAF rule (ModSecurity) blocking SQLi attempts against edit_student.php
SecRule REQUEST_URI "@beginsWith /edit_student.php" \
  "phase:2,chain,deny,status:403,msg:'CVE-2025-9665 SQLi attempt'"
  SecRule ARGS:ID "!@rx ^[0-9]+$" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.