CVE Alert: CVE-2025-12256 - code-projects - Online Event Judging System

CVE-2025-12256

MEDIUMNo exploitation knownPoC observed

A weakness has been identified in code-projects Online Event Judging System 1.0. This vulnerability affects unknown code of the file /edit_contestant.php. Executing manipulation of the argument contestant_id can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.

CVSS v3.1 (6.3)

Vendor

code-projects

Product

Online Event Judging System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-27T09:32:05.563Z

Updated

2025-10-27T14:17:19.226Z

References

https://vuldb.com/?id.329927

https://vuldb.com/?ctiid.329927

https://vuldb.com/?submit.674009

https://github.com/zzonce/cve/issues/2

https://code-projects.org/

AI Summary Analysis

Risk verdict

Moderate risk driven by a remote SQL injection with a publicly available PoC; exploitation is not shown as active in the wild and requires low-privilege access.

Why this matters

If exploited, an attacker could read or modify contestant data and contest configuration, undermining competition integrity and exposing any stored personal data. The web-facing endpoint heightens exposure for small hosts or self-managed deployments.

Most likely attack path

An attacker remotely targets the edit_contestant.php endpoint with a crafted contestant_id to trigger a SQL injection. The CVSS indicates network access and no user interaction, but requires low privileges, suggesting an attacker with minimal access could attempt exploitation if the endpoint is reachable and not properly protected. Successful abuse could reveal or corrupt data within the same database scope.

Who is most exposed

Organizations running the Online Event Judging System 1.0 with the vulnerable file publicly accessible or inadequately access-controlled are most at risk, including small event hosts, educational cohorts, or hosted demo sites.

Detection ideas

SQL error messages or unusual query patterns in web/app logs.
Repeated unexpected values for contestant_id in access logs.
Anomalous spikes of requests to edit_contestant.php without valid authentication.
WAF alerts for SQL injection signatures targeting the endpoint.
Sudden changes to contestant records or contest configurations.

Mitigation and prioritisation

Apply patch or upgrade to a fixed release; if unavailable, implement parameterised queries and input validation on contestant_id.
Enforce strict access control and IP allowlisting for edit_contestant.php; disable indirect access if not required.
Implement or tune WAF rules to detect SQLi patterns on this endpoint; monitor for PoC indicators.
Change-management: test fixes in staging, two-step deployment, and rollback plan.
If KEV is confirmed or EPSS ≥ 0.5, treat as priority 1; otherwise treat as a high-priority remediation.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: code-projects, CVE, cve-2025-12256, online-event-judging-system, OSINT, threatintel