Student Transcript Processing System
Monthly
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the admin panel endpoint `/admin/modules/class/index.php?view=view` to remote unauthenticated database manipulation via the unsanitized `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, making this trivially reachable from the network. A public proof-of-concept exploit has been disclosed on GitHub, and SSVC flags this as automatable with partial technical impact - though EPSS at 0.03% (9th percentile) reflects limited observed in-the-wild activity; no public exploit identified at time of analysis reaching KEV status.
SQL injection in itsourcecode Student Transcript Processing System 1.0 allows remote unauthenticated attackers to manipulate backend database queries by supplying crafted values for the studentId or cid parameters in /admin/modules/student/trans.php. The CVSS 4.0 vector (PR:N, AC:L, UI:N) confirms exploitation requires no authentication and no user interaction, and a proof-of-concept is publicly available via a GitHub issue. No public KEV listing exists and EPSS sits at 0.03% (9th percentile), indicating limited threat-actor uptake thus far - likely due to the narrow deployment footprint of this niche educational PHP application.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the application to unauthenticated remote database manipulation via the studentId parameter in the admin student view endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no privileges or user interaction are required, and publicly available exploit code exists on GitHub. Despite the remote, unauthenticated attack surface and POC availability, EPSS sits at only 0.03% (9th percentile), indicating limited real-world exploitation uptake at time of analysis; no CISA KEV listing has been issued.
A weakness has been identified in itsourcecode Student Transcript Processing System 1.0. Affected is an unknown function of the file /login.php. Executing a manipulation of the argument uname can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the admin panel endpoint `/admin/modules/class/index.php?view=view` to remote unauthenticated database manipulation via the unsanitized `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, making this trivially reachable from the network. A public proof-of-concept exploit has been disclosed on GitHub, and SSVC flags this as automatable with partial technical impact - though EPSS at 0.03% (9th percentile) reflects limited observed in-the-wild activity; no public exploit identified at time of analysis reaching KEV status.
SQL injection in itsourcecode Student Transcript Processing System 1.0 allows remote unauthenticated attackers to manipulate backend database queries by supplying crafted values for the studentId or cid parameters in /admin/modules/student/trans.php. The CVSS 4.0 vector (PR:N, AC:L, UI:N) confirms exploitation requires no authentication and no user interaction, and a proof-of-concept is publicly available via a GitHub issue. No public KEV listing exists and EPSS sits at 0.03% (9th percentile), indicating limited threat-actor uptake thus far - likely due to the narrow deployment footprint of this niche educational PHP application.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the application to unauthenticated remote database manipulation via the studentId parameter in the admin student view endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no privileges or user interaction are required, and publicly available exploit code exists on GitHub. Despite the remote, unauthenticated attack surface and POC availability, EPSS sits at only 0.03% (9th percentile), indicating limited real-world exploitation uptake at time of analysis; no CISA KEV listing has been issued.
A weakness has been identified in itsourcecode Student Transcript Processing System 1.0. Affected is an unknown function of the file /login.php. Executing a manipulation of the argument uname can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.