Automated Voting System
CVE-2025-12238
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in code-projects Automated Voting System 1.0. The affected element is an unknown function of the file /admin/user.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
AnalysisAI
SQL injection in code-projects Automated Voting System 1.0 allows authenticated remote attackers to manipulate the Username parameter in /admin/user.php, enabling unauthorized database queries with limited confidentiality and integrity impact. The vulnerability requires valid login credentials (PR:L) and has publicly available exploit code, though real-world exploitation risk is minimal given the CVSS 2.1 score and 0.03% EPSS percentile.
Technical ContextAI
The vulnerability exists in a PHP-based web application file (/admin/user.php) that fails to properly sanitize user input for the Username parameter before using it in SQL queries. This represents a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) vulnerability, where unsanitized input flows directly into SQL construction without parameterized queries or proper escaping. The affected product is code-projects Automated Voting System version 1.0, as identified by CPE cpe:2.3:a:fabian:automated_voting_system:1.0. The vulnerability is network-accessible but requires prior authentication, limiting the attack surface to users with valid admin credentials.
RemediationAI
Contact code-projects or Fabian (vendor) to request a security patch for version 1.0, as no vendor-released patch version is currently documented. In the interim, implement immediate compensating controls: restrict /admin/user.php access to a whitelist of trusted internal IP addresses using firewall rules or web application firewall (WAF) rules, and disable direct HTTP/HTTPS access to the /admin directory from untrusted networks. Additionally, implement input validation on the Username parameter by enforcing strict character allowlists (alphanumeric plus underscore only) at the application layer before any database query. Review and enable SQL query logging to detect exploitation attempts. These controls limit network exposure while maintaining functionality for legitimate administrators on trusted networks, though they do not replace a proper code fix. A permanent solution requires vendor patching or application code review to implement parameterized queries (prepared statements) for all database interactions.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today