Campcodes Advanced Online Voting System CVE-2025-11417
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in Campcodes Advanced Online Voting Management System 1.0. This vulnerability affects unknown code of the file /admin/voters_add.php. Executing manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
Unrestricted file upload in Campcodes Advanced Online Voting System 1.0 allows authenticated attackers to upload arbitrary files via manipulation of the photo parameter in /admin/voters_add.php. The vulnerability requires valid login credentials (PR:L) but affects confidentiality, integrity, and availability with low severity. Publicly available exploit code exists; however, EPSS score of 0.04% indicates minimal real-world exploitation probability despite public POC availability.
Technical ContextAI
The vulnerability exists in the PHP-based voters_add.php administrative endpoint, which processes file uploads through an insufficiently validated photo parameter. The underlying issue is classified as CWE-284 (Improper Access Control), indicating inadequate input validation and file type restrictions on uploaded content. Attackers with authenticated admin access can bypass file upload controls by directly manipulating the photo parameter to upload files with arbitrary MIME types or extensions, potentially leading to code execution if uploaded files are executable (e.g., .php) and accessible via the web root.
RemediationAI
Immediate mitigation requires upgrading Campcodes Advanced Online Voting System beyond version 1.0; however, no patched version has been confirmed in public advisories. If upgrades are unavailable, implement compensating controls: (1) Restrict /admin/voters_add.php access to trusted IP ranges via web server configuration (trade-off: reduces administrative flexibility if remote admin access is required), (2) Enforce strict file type validation on the photo parameter by checking MIME types and file magic bytes server-side, rejecting any uploads not matching expected image formats (.jpg, .png), (3) Store uploaded files outside the web root with non-executable permissions (chmod 644) and serve via download handler rather than direct HTTP access, and (4) Disable PHP execution in upload directories via .htaccess (php_flag engine off) or nginx configuration. Contact Campcodes directly at www.campcodes.com to request patched releases or security guidance.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today