CVE Alert: CVE-2025-10102 – code-projects – Online Event Judging System
CVE-2025-10102
A security flaw has been discovered in code-projects Online Event Judging System 1.0. This affects an unknown function of the file /index.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
AI Summary Analysis
Risk verdict
High risk due to remote, unauthenticated SQL injection with a public exploit and PoC available; patching or compensating controls should be enacted promptly.
Why this matters
The flaw enables attackers to read or modify the application’s database via the vulnerable index.php, potentially exposing sensitive event data or undermining judging results. Automated tools could mass-scan and exploit exposed instances, increasing risk across multiple deployments.
Most likely attack path
An attacker sends crafted requests to the vulnerable Username parameter on /index.php without authentication. With AV:N, UI:N, PR:N, the exploit requires no user interaction or privileges; successful injections can lead to data disclosure or modification within the database (I:L/C:L/A:L). Because the Scope is Unchanged, lateral movement to other assets depends on DB-level connectivity and permissions.
Who is most exposed
Public-facing deployments of code-projects Online Event Judging System, especially older 1.0 instances on common LAMP stacks or shared hosting, are at highest risk due to exposed input handling and lack of input sanitisation.
Detection ideas
- Web logs show anomalous Username inputs containing quotes/UNION-based patterns.
- Database errors or stack traces surfaced in responses or logs.
- Sudden spikes in SQL query volume or unexpected data access patterns.
- IDS/IPS hits for SQLi-like signatures targeting index.php.
- Unusual data exfiltration indicators from the backend DB.
Mitigation and prioritisation
- Apply vendor patch or upgrade to a fixed version; validate patch install in change-management window.
- Implement prepared statements and parameterised queries; sanitize and validate Username input.
- Enforce least-privilege DB accounts; restrict DB user permissions to necessary operations only.
- Deploy WAF/IPS rules to block SQLi patterns; disable verbose error reporting to users.
- Monitor DB access and alert on anomalous query patterns; schedule immediate post-patch verification. If KEV/EPSS data confirms higher risk, escalate to Priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
