Electronic Judging System
Monthly
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/delete_judge.php endpoint to remote unauthenticated attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required to reach the vulnerable parameter, and a publicly available proof-of-concept exploit exists on GitHub, corroborated by the CVSS 4.0 exploit maturity modifier E:P. Despite these factors, EPSS sits at 0.03% (9th percentile), indicating no public exploit has yet driven widespread opportunistic scanning; no KEV listing confirms active exploitation in the wild at time of analysis.
Reflected cross-site scripting in itsourcecode Electronic Judging System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the `fname` parameter of `/admin/judges.php`, executing arbitrary JavaScript in the context of a victim's browser session. The CVSS 4.0 score of 2.1 reflects the low integrity impact and mandatory user interaction, consistent with a reflected XSS that requires a victim to follow a crafted URL. No public exploit identified at time of analysis as KEV-listed, but a publicly available proof-of-concept exists on GitHub, slightly elevating practical risk despite the EPSS score of 0.03% (10th percentile).
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote unauthenticated attackers to manipulate the `num_id` parameter in `/admin/edit_team.php`, enabling unauthorized database read, write, and partial availability impact. The CVSS 4.0 vector confirms no authentication or user interaction is required (PR:N/UI:N), and publicly available exploit code exists on GitHub - though EPSS remains very low at 0.03% (9th percentile), suggesting limited real-world exploitation interest consistent with a niche, low-adoption PHP application. The vulnerability is not listed in CISA KEV, but the SSVC framework flags it as automatable, meaning opportunistic scanning tools could exploit it at scale against any internet-exposed deployment.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/edit_judge.php endpoint to unauthenticated remote attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions. A public proof-of-concept exploit has been disclosed on GitHub, though EPSS at 0.03% (9th percentile) reflects the product's limited deployment footprint rather than low technical severity - no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin login endpoint at /intrams/admin/login.php to unauthenticated remote attackers who can manipulate the Username parameter to alter backend SQL query logic. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction, and publicly available exploit code (E:P) further lowers the barrier to entry. Although EPSS sits at 0.03% (9th percentile) indicating low observed exploitation activity, no vendor patch has been identified at time of analysis, leaving all known deployments of version 1.0 without an official remediation path.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/delete_judge.php endpoint to remote unauthenticated attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required to reach the vulnerable parameter, and a publicly available proof-of-concept exploit exists on GitHub, corroborated by the CVSS 4.0 exploit maturity modifier E:P. Despite these factors, EPSS sits at 0.03% (9th percentile), indicating no public exploit has yet driven widespread opportunistic scanning; no KEV listing confirms active exploitation in the wild at time of analysis.
Reflected cross-site scripting in itsourcecode Electronic Judging System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the `fname` parameter of `/admin/judges.php`, executing arbitrary JavaScript in the context of a victim's browser session. The CVSS 4.0 score of 2.1 reflects the low integrity impact and mandatory user interaction, consistent with a reflected XSS that requires a victim to follow a crafted URL. No public exploit identified at time of analysis as KEV-listed, but a publicly available proof-of-concept exists on GitHub, slightly elevating practical risk despite the EPSS score of 0.03% (10th percentile).
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote unauthenticated attackers to manipulate the `num_id` parameter in `/admin/edit_team.php`, enabling unauthorized database read, write, and partial availability impact. The CVSS 4.0 vector confirms no authentication or user interaction is required (PR:N/UI:N), and publicly available exploit code exists on GitHub - though EPSS remains very low at 0.03% (9th percentile), suggesting limited real-world exploitation interest consistent with a niche, low-adoption PHP application. The vulnerability is not listed in CISA KEV, but the SSVC framework flags it as automatable, meaning opportunistic scanning tools could exploit it at scale against any internet-exposed deployment.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/edit_judge.php endpoint to unauthenticated remote attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions. A public proof-of-concept exploit has been disclosed on GitHub, though EPSS at 0.03% (9th percentile) reflects the product's limited deployment footprint rather than low technical severity - no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the admin login endpoint at /intrams/admin/login.php to unauthenticated remote attackers who can manipulate the Username parameter to alter backend SQL query logic. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction, and publicly available exploit code (E:P) further lowers the barrier to entry. Although EPSS sits at 0.03% (9th percentile) indicating low observed exploitation activity, no vendor patch has been identified at time of analysis, leaving all known deployments of version 1.0 without an official remediation path.