Online Event Judging System
CVE-2025-12256
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in code-projects Online Event Judging System 1.0. This vulnerability affects unknown code of the file /edit_contestant.php. Executing manipulation of the argument contestant_id can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to manipulate the contestant_id parameter in /edit_contestant.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability has a publicly available exploit and low EPSS score (0.03%), suggesting it poses minimal real-world risk despite public exploit availability.
Technical ContextAI
The vulnerability is a SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output) in a PHP-based web application. The /edit_contestant.php file accepts user-supplied input via the contestant_id parameter without proper sanitization or parameterized queries, allowing attackers to inject arbitrary SQL commands. This affects the Online Event Judging System, a PHP web application designed for contest management. The attack vector is network-based, but requires valid authentication (PR:L in CVSS vector indicates low-privilege authenticated access).
RemediationAI
Apply a vendor patch if available from code-projects (check https://code-projects.org/ for updates beyond version 1.0). If no patched version is available, implement immediate compensating controls: (1) Use parameterized SQL queries (prepared statements) in /edit_contestant.php to neutralize SQL injection, (2) Implement input validation/whitelist for contestant_id to accept only numeric values, (3) Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the contestant_id parameter, (4) Restrict access to the /edit_contestant.php endpoint to trusted administrative networks via IP allowlist if possible. The authentication requirement (PR:L) means unauthorized remote exploitation is not possible, so access control hardening is an effective interim control. Web application code review and security testing of all user-input handling in the application should be prioritized.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today