Online Event Judging System
CVE-2025-12262
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in code-projects Online Event Judging System 1.0. This impacts an unknown function of the file /edit_criteria.php. Executing manipulation of the argument crit_id can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
SQL injection in code-projects Online Event Judging System 1.0 via the crit_id parameter in /edit_criteria.php allows authenticated remote attackers to manipulate database queries with low confidentiality and integrity impact. Exploitation requires valid user authentication but can be executed remotely with no user interaction. Publicly available exploit code exists; however, the EPSS score of 0.03% (8th percentile) indicates this vulnerability has minimal real-world exploitation probability despite public disclosure.
Technical ContextAI
The vulnerability exists in the /edit_criteria.php file where user-supplied input from the crit_id parameter is improperly validated before being incorporated into SQL queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) vulnerability manifesting as SQL injection. The affected product is a PHP-based event judging system (CPE: cpe:2.3:a:carmelo:online_event_judging_system:1.0) that likely uses parameterized queries inadequately or concatenates user input directly into SQL statements without sanitization.
RemediationAI
Upgrade to a patched version if available from the vendor or apply immediate input validation to the crit_id parameter in /edit_criteria.php by using parameterized prepared statements with bind parameters instead of string concatenation. If vendor patches are unavailable, implement a Web Application Firewall (WAF) rule to block requests containing SQL metacharacters (single quotes, double dashes, semicolons) in the crit_id parameter, though this may block legitimate criteria names containing special characters. Restrict access to /edit_criteria.php to authorized administrators only via role-based access controls. Contact the vendor (code-projects.org) to confirm patch availability and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today