Online Event Judging System
CVE-2025-12263
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects Online Event Judging System 1.0. Affected is an unknown function of the file /edit_judge.php. The manipulation of the argument judge_id leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the judge_id parameter in /edit_judge.php, with publicly available exploit code demonstrating the vulnerability. The low CVSS score (2.1) reflects limited confidentiality impact and required authentication, but the SQL injection itself is a high-severity vulnerability class that could enable data exfiltration or modification depending on database permissions and downstream query construction.
Technical ContextAI
The vulnerability exists in the /edit_judge.php file where user-supplied input from the judge_id parameter is passed directly into SQL queries without proper sanitization or prepared statement usage. This is a classic SQL injection vulnerability (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component, also closely related to CWE-89). The affected product is code-projects Online Event Judging System version 1.0, a PHP-based web application for managing online event judging. The attacker must possess valid credentials to access the /edit_judge.php endpoint, as indicated by the CVSS vector PR:L (requires low privilege account), but can then craft SQL payloads through the judge_id parameter to manipulate database queries.
RemediationAI
Apply vendor-released patch to upgrade from version 1.0 to the next available patched release (contact code-projects at https://code-projects.org/ for availability). Primary fix: implement parameterized queries (prepared statements) in /edit_judge.php to sanitize all user input, especially the judge_id parameter, ensuring SQL syntax cannot be injected. If patching is delayed, implement database-level controls: restrict the database user account used by the application to minimum required permissions (remove DELETE/UPDATE if only SELECT is needed), and apply input validation using strict whitelist patterns for judge_id (e.g., numeric-only if judge_id should be an integer). Additionally, enforce strong access controls to /edit_judge.php to limit who can authenticate to the application. These compensating controls reduce but do not eliminate the injection risk if queries remain concatenated; code-level parameterization is required for complete remediation.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today