A critical SQL injection vulnerability in the SourceCodester Class and Exam Timetabling System allows unauthenticated remote attackers to compromise backend database integrity.

The application fails to properly sanitize the 'sy' input argument within the /archive1.php file. This allows an unauthenticated attacker to inject malicious SQL commands, potentially leading to unauthorized data exfiltration or database manipulation.

This vulnerability carries a CVSS score of 7.3, indicating a high severity risk. Successful exploitation could allow an attacker to bypass authentication, access sensitive academic records, or modify system data, leading to severe reputational damage and potential regulatory non-compliance regarding student data privacy.

Immediate Action: Audit the application for available security patches from the vendor and apply them immediately to sanitize input parameters.

Proactive Monitoring: Monitor web server logs for suspicious URL patterns or SQL syntax fragments targeting the /archive1.php endpoint.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns in incoming HTTP requests.

Public Exploit Available: true

Given the availability of public exploit code and the ease of triggering this SQL injection, the risk is elevated. Administrators should prioritize patching this instance immediately and ensure that all input handling routines are reviewed for similar sanitization flaws.