MEDIUM 6.3

CVE-2026-10297: SQL Injection in itsourcecode Fees Management System 1.0

A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the course management functionality. An authenticated attacker can manipulate the ID parameter in the /manage_course.php endpoint to execute arbitrary SQL queries against the underlying database. The vulnerability requires valid login credentials but can be exploited over the network without additional interaction. Exploit code is publicly available, elevating the practical risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in itsourcecode Fees Management System 1.0. This affects an unknown part of the file /manage_course.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10297 is a SQL injection flaw (CWE-89, CWE-74) affecting the Fees Management System's /manage_course.php script. The ID parameter is insufficiently sanitized or parameterized, allowing authenticated users to inject SQL syntax. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects network-based access with low complexity, requiring low privilege (user-level login), and resulting in confidentiality, integrity, and availability impact limited to the affected component. The presence of publicly disclosed exploit code reduces the barrier to weaponization.

Business impact

Organizations deploying this Fees Management System face data breach risk if student, course, or financial records are exposed through SQL injection. Attackers with valid user accounts could modify course data, alter fee calculations, or extract sensitive information. The requirement for authentication mitigates risk in air-gapped or tightly access-controlled deployments but does not eliminate insider threat or compromised-credential scenarios. Educational institutions using this system should prioritize patch deployment or access restriction.

Affected systems

itsourcecode Fees Management System version 1.0 is affected. The vulnerability is specific to this product; verify whether your organization uses this particular system. Community-forked or customized versions may inherit or modify this vulnerability. No evidence of exploitation in the wild has been documented in public KEV databases, though public exploit availability suggests opportunistic attacks may occur.

Exploitability

Exploitation requires valid credentials (authenticated user access), which is not a high barrier in academic or organizational environments where many users have system logins. The attack complexity is low—basic SQL injection techniques apply. Public exploit availability means attackers need minimal skill to attempt this attack. Detection is possible through database query logging if configured, but many deployments may lack robust SQL audit trails.

Remediation

Immediate action: Apply vendor patches or upgrades if available. If patches are unavailable, implement network segmentation to restrict access to /manage_course.php to authorized administrative networks. Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the ID parameter. Enforce the principle of least privilege for database accounts used by the application. As a temporary measure, consider disabling course management features that are not actively required. Verify that input validation and parameterized queries are in place in any patched version before deployment.

Patch guidance

Contact itsourcecode directly for patch availability and version numbers; no official CVE advisory with versioning information is referenced in public sources. Test any patch in a non-production environment first, particularly given the core nature of this functionality. Verify patch integrity through vendor-supplied checksums. If no patch is available from the vendor, escalate this to your software procurement and risk teams to evaluate alternative solutions or extended vendor support.

Detection guidance

Monitor for SQL injection attempts in web server and application logs, particularly around /manage_course.php requests containing SQL keywords (SELECT, UNION, OR, etc.) in the ID parameter. Enable database audit logging to capture suspicious query patterns. Implement intrusion detection system (IDS) signatures for SQL injection attacks. Query application user activity logs for unusual data exports or modifications to course records. Alert on failed SQL syntax errors if the application logs them, as these indicate injection attempts.

Why prioritize this

This vulnerability merits urgent but not emergency prioritization. The requirement for authentication reduces lateral risk from the public internet. However, the presence of publicly available exploit code, combined with the sensitivity of educational data and financial records in a Fees Management System, creates material risk. Organizations should patch within 2–4 weeks, sooner if many users have system access or if the application is internet-facing.

Risk score, explained

The CVSS 3.1 score of 6.3 (Medium) reflects the balance of factors: network accessibility and low complexity favor attackers, but the authentication requirement limits exposure. Confidentiality, integrity, and availability impacts are each marked as Low, meaning the attacker gains data access, can modify records, or cause disruption, but not in a way that cascades system-wide. The score does not account for public exploit availability or reputational impact; organizations handling sensitive student data should treat this as a higher business priority than the numeric score suggests.

Frequently asked questions

Do we need to apply this patch immediately?

If your Fees Management System is internet-facing or accessible to many users, yes—prioritize patching within 2–4 weeks. If it is isolated to internal administrative networks with restricted access, you have more flexibility but should still plan patching promptly. Authentication is required, which reduces opportunistic attack surface, but does not eliminate insider threat or compromised-credential risk.

Can a attacker use this to steal student financial data?

Yes. SQL injection can be used to query or modify any data in the underlying database, including student records, course fees, and potentially payment information. Depending on database configuration and access controls, an attacker could extract or corrupt sensitive information.

Will a WAF rule alone protect us if we cannot patch immediately?

A WAF can significantly reduce attack surface by blocking common SQL injection patterns, but is not a substitute for patching. WAF rules can fail if the injection pattern is novel or obfuscated. Use WAF as a temporary defensive layer while you plan and test patches.

Is this in the CISA KEV catalog?

No, this vulnerability is not currently on the CISA Known Exploited Vulnerabilities catalog. However, public exploit code exists, and that status can change. Monitor the KEV catalog for updates and assume this could be actively exploited.

This analysis is provided for informational purposes and represents the state of public vulnerability information as of the publication date. SEC.co does not warrant the completeness or accuracy of vendor patch information; verify all patches and workarounds directly with itsourcecode. This vulnerability is not listed on CISA's KEV catalog as of the publication date. Exploit code availability does not imply active exploitation in your environment. Conduct your own risk assessment based on your network topology, user access model, and data sensitivity. No exploit code or weaponized proof-of-concept instructions are provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).