code-projects Voting System CVE-2025-8174
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Voting System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/candidates_add.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Unrestricted file upload in code-projects Voting System 1.0 allows authenticated remote attackers to upload arbitrary files via the photo parameter in /admin/candidates_add.php, potentially enabling remote code execution. The vulnerability requires valid administrative credentials and has been publicly disclosed with exploit code available, though real-world exploitation risk is minimal given the CVSS 2.1 score and 0.06% EPSS percentile reflecting low automatable impact and authentication barriers.
Technical ContextAI
The vulnerability is a classic unrestricted file upload flaw (CWE-284: Improper Access Control) in a PHP-based voting application. The affected endpoint /admin/candidates_add.php fails to properly validate or restrict file types accepted in the photo parameter, allowing authenticated users with admin-level access to upload arbitrary file types. The vulnerability is rooted in inadequate input validation and file type verification, combined with improper access controls that may permit authenticated users to manipulate administrative functions. The underlying technology stack is PHP running on a web server handling form submissions that process image uploads without sufficient content-type or extension validation.
RemediationAI
No vendor-released patch is identified in available sources. Immediate mitigations include: (1) Implement strict file type validation on the server side by checking both file extension AND MIME type (not just client-side), rejecting anything except valid image formats (JPEG, PNG, GIF); (2) Store uploaded files outside the web root or in a directory with execution disabled (e.g., Apache .htaccess with 'php_flag engine off' or nginx location block denying script execution); (3) Enforce access controls ensuring only authorized administrators can access /admin/candidates_add.php, via IP whitelisting, additional authentication factors, or WAF rules; (4) Rename uploaded files to remove original names and assign random identifiers to prevent direct access; (5) Consider upgrading to a maintained voting system if available, or request security patches from code-projects.org (https://code-projects.org/). For organizations unable to patch, disable the candidates_add functionality entirely if not actively used, and monitor file uploads for suspicious activity.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today