If exploited, an attacker could read, alter, or delete all student records stored in the application's database, including personally identifiable information such as names, enrollment details, and identification numbers. For educational institutions, unauthorized disclosure of student data may trigger notification obligations under applicable student privacy laws, and data destruction could disrupt enrollment or academic record operations. The narrow deployment base of this specific product limits broad exposure, but any institution running this application internet-facing carries direct data integrity and compliance risk.
You Are Affected If
You run code-projects Student Details Management System 1.0 in your environment
The /index.php endpoint is accessible from the internet or an untrusted network without WAF or IPS coverage
No input validation or parameterized query fix has been applied to the 'roll' parameter
The application's database account has broad permissions (read/write/delete) rather than least-privilege access
Web server and database query logging is not enabled, leaving exploitation attempts undetected
Board Talking Points
A publicly known security flaw in a student records web application allows an outsider to steal or destroy the data it holds with no login required.
Technology teams should verify whether this application is in use and, if so, restrict access or take it offline within 24 hours while a fix is applied.
Without action, student records could be extracted or destroyed, creating regulatory notification exposure and potential reputational harm with students and parents.
FERPA — application stores student academic records; unauthorized database access via SQL injection may constitute a disclosure of protected education records under 20 U.S.C. § 1232g if the system is operated by a US educational institution receiving federal funding
