Online Event Judging System
CVE-2025-12254
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects Online Event Judging System 1.0. Affected by this issue is some unknown functionality of the file /add_judge.php. Such manipulation of the argument fullname leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the fullname parameter in /add_judge.php, enabling limited data extraction with low confidentiality impact. The CVSS 2.1 score reflects the authentication requirement and bounded scope, but publicly available exploit code exists; however, the 0.03% EPSS percentile indicates minimal real-world exploitation probability despite public POC availability.
Technical ContextAI
The vulnerability exists in a PHP-based web application for online event judging. The /add_judge.php endpoint accepts user input in the fullname parameter without proper parameterized query construction or input validation, violating CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The SQL injection allows attackers with valid credentials to craft malicious SQL syntax within the fullname field, potentially extracting data from the underlying database. The authentication requirement (PR:L in CVSS 4.0 vector) indicates attackers must first obtain valid user credentials, significantly limiting the attack surface compared to unauthenticated SQL injection vulnerabilities.
RemediationAI
Immediate action requires upgrading to a patched version if available from the vendor; however, no vendor-released patch version has been identified in available data. Contact code-projects directly via https://code-projects.org/ to request a security update for version 1.0. As a compensating control pending vendor remediation, restrict access to /add_judge.php to only trusted administrative IP addresses via firewall or reverse proxy rules. Implement parameterized queries (prepared statements) in the add_judge.php handler for all user input, particularly the fullname parameter, ensuring SQL syntax cannot be injected. Enforce principle of least privilege by limiting user accounts to the minimum database permissions required and removing judge-creation privileges from standard user roles. Validate and sanitize the fullname parameter on the server side using a whitelist of allowed characters (alphanumeric, spaces, hyphens only). Apply Web Application Firewall (WAF) rules to detect and block common SQL injection payloads in the fullname parameter. These controls should significantly reduce exploitation likelihood while a permanent vendor patch is pursued.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today