CVE Alert: CVE-2025-10103 – code-projects – Online Event Judging System
CVE-2025-10103
A weakness has been identified in code-projects Online Event Judging System 1.0. This impacts an unknown function of the file /home.php. Executing manipulation of the argument main_event can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited.
AI Summary Analysis
Risk verdict
High risk: remote SQL injection with a publicly disclosed exploit can lead to data leakage or modification.
Why this matters
Exposed contest and participant data could be read or tampered with, and judge results or submissions may be adversarially influenced. A successful breach may enable database abuse, credential exposure, or lateral movement within the hosting environment.
Most likely attack path
An unauthenticated attacker can send crafted input to the vulnerable /home.php endpoint (main_event) over the network, triggering an SQL injection. The vulnerability enables unauthenticated access with low user interaction, potentially exposing or altering data without prior privileges; impact across confidentiality, integrity, and availability is plausible.
Who is most exposed
Public-facing installations of code-projects Online Event Judging System are the primary risk, commonly deployed by educational institutions or contest platforms on shared or cloud hosting with external access.
Detection ideas
- Unusual or malformed main_event inputs observed in web logs.
- SQL error messages or database errors returned in responses.
- Sudden spikes in requests to /home.php or to endpoints handling user-submitted data.
- Correlation of failed queries with external IPs or known malicious sources.
- IDS/WAF alerts for classic SQLi payloads (e.g., tautologies, UNION-based patterns).
Mitigation and prioritisation
- Apply vendor patch or upgrade to a fixed version; if unavailable, implement input validation and parameterised queries for main_event.
- Enforce least-privilege database credentials and restrict the application’s DB user rights.
- Implement strongly typed, server-side validation for all user-supplied data; consider disabling or sanitising the vulnerable parameter.
- Deploy WAF/IPS rules targeting SQLi patterns; monitor for data exfiltration indicators.
- Change-management: test in staging, schedule a controlled production rollout with post-deployment monitoring.
- If KEV true or EPSS ≥ 0.5, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
