Online Event Judging System
CVE-2025-12255
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in code-projects Online Event Judging System 1.0. This affects an unknown part of the file /add_contestant.php. Performing manipulation of the argument fullname results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.
AnalysisAI
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the fullname parameter in /add_contestant.php, enabling database queries with limited data access. The vulnerability has low real-world risk despite public exploit availability, as it requires valid user authentication and produces only limited information disclosure (CVSS 2.1, EPSS 0.03%), though organizations running this application should apply fixes promptly to eliminate the attack vector entirely.
Technical ContextAI
The vulnerability exists in a PHP-based web application that processes contestant registration through the /add_contestant.php endpoint. The application fails to properly sanitize or parameterize the fullname input parameter before incorporating it into SQL queries, allowing an authenticated user to inject arbitrary SQL syntax. This is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating a failure to escape or filter user-controlled input before database interaction. The affected product is identified by CPE 2.3:a:carmelo:online_event_judging_system:1.0, suggesting a small-scale educational or competition management tool rather than enterprise software.
RemediationAI
Apply vendor updates or patches if available from code-projects or the Carmelo development team. If patched versions are unavailable, implement immediate compensating controls: enforce parameterized prepared statements or prepared queries in the /add_contestant.php file's database interaction code, validate and whitelist the fullname parameter to permit only alphanumeric characters and common punctuation (spaces, hyphens, apostrophes), implement database-level least-privilege access so the application's database user lacks write permissions beyond the contestant table, and deploy a Web Application Firewall (WAF) rule to block requests containing SQL keywords (UNION, SELECT, OR, etc.) in the fullname parameter. Consider disabling or restricting access to the contestant management feature via network access controls or authentication tokens if the application is not actively used. Organizations should coordinate patching with functional testing, as WAF rules may block legitimate names containing special characters.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today