Challenge 12 and 13 are somewhat related to each other.
NoSQL Injection can be cracked “manually” on /community/api/v2/coupon/validate-coupon - {"coupon_code":"TRAC075"} on this endpoint.
The same endpoint cant have SQL injection attack, because the table will be a part of NoSQL DB. (for coupons)
How can the same endpoint be used for SQL injection, if a different column of the same table (For Challenge 12) will be updated to redeem an already claimed Coupon, and the table is NoSQL based....

Since the service tracking the coupon redemption is different, it can have its own stack. Do look at the apis/postman_collections to learn more.

It is not the same endpoint but a different endpoint which is coupon related.
Closing this issue as it is more of a doubt than issue. Please reopen a thread in discussion forum if needed.