CVE Alert: CVE-2025-12254 - code-projects - Online Event Judging System

CVE-2025-12254

MEDIUMNo exploitation knownPoC observed

A vulnerability was identified in code-projects Online Event Judging System 1.0. Affected by this issue is some unknown functionality of the file /add_judge.php. Such manipulation of the argument fullname leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.

CVSS v3.1 (6.3)

Vendor

code-projects

Product

Online Event Judging System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-27T09:02:08.635Z

Updated

2025-10-27T15:48:44.221Z

References

https://vuldb.com/?id.329925

https://vuldb.com/?ctiid.329925

https://vuldb.com/?submit.673969

https://github.com/daminqaq/damin-CVE/issues/2

https://code-projects.org/

AI Summary Analysis

Risk verdict

High risk and urgent; remote SQL injection with a publicly available exploit, treat as priority 1.

Why this matters

Exploitation can read or modify database contents, affecting data integrity and confidentiality and potentially enabling data exfiltration. Public exposure increases the likelihood of automated scanning and mass exploitation, with potential for disruption to judging workflows and regulatory/compliance impact.

Most likely attack path

No user interaction required beyond sending crafted input to a web request; attacker can exploit via a remote, unauthenticated channel using low-privilege access (PR:L) and no UI interaction (UI:N). The vulnerability’s scope remains unchanged, with partial impacts to confidentiality, integrity, and availability, enabling data leakage or corruption through a single parameter.

Who is most exposed

Public-facing or broadly accessible web interfaces on PHP/MySQL stacks are most at risk, particularly SME or educational deployments hosting event/judging portals without strong input handling or least-privilege database credentials.

Detection ideas

Unexpected error messages or SQL traces in web/application logs.
Requests containing unusual quoting or SQL syntax in input fields (e.g., fullname).
Elevated DB error rates or abnormal query patterns in the app layer.
WAF alerts for typical SQLi payloads (union select,/timing patterns).
Indicators of data exfiltration attempts from the database.

Mitigation and prioritisation

Apply vendor patch or upgrade to address the SQLi; verify patch applicability in staging.
Enforce parameterised queries and strong input validation; replace dynamic SQL with prepared statements.
Implement least-privilege database accounts; restrict the affected app’s DB permissions.
Deploy web app firewall rules to block common SQL injection patterns; monitor for anomalous queries.
Change-management: schedule patch window with rollback plan; communicate exposure to stakeholders. Treat as priority 1 due to KEV/public PoC.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: code-projects, CVE, cve-2025-12254, online-event-judging-system, OSINT, threatintel