CVE Alert: CVE-2025-10104 – code-projects – Online Event Judging System
CVE-2025-10104
A security vulnerability has been detected in code-projects Online Event Judging System 1.0. Affected is an unknown function of the file /review_search.php. The manipulation of the argument txtsearch leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
AI Summary Analysis
Risk verdict
High risk due to remote, unauthenticated SQL injection with publicly disclosed PoC; address as a priority.
Why this matters
Attackers can read or manipulate data from the affected database and potentially exfiltrate sensitive information. Given the unauthenticated remote access and public exploit, a broad threat surface exists for public-facing deployments, risking reputational damage and data integrity.
Most likely attack path
Publicly reachable /review_search.php endpoint accepts txtsearch input; an attacker supplies crafted input to trigger SQL injection without user interaction. The attack can occur with no authentication, allowing data leakage or modification and partial impact to confidentiality, integrity, and availability within the same system scope.
Who is most exposed
Public-facing instances of the Online Event Judging System or education/competition platforms that expose search endpoints are most at risk. Organisations hosting demo or student-facing environments without rigorous input sanitisation are particularly vulnerable.
Detection ideas
- Unusual or erroring SQL queries in web/app logs linked to txtsearch values.
- Repeated high-volume, crafted input strings triggering DB errors or slow queries.
- Anomalous data retrieval patterns or unexpected data fields appearing in responses.
- WAF/IDS alerts for SQLi-like signatures on review_search.php traffic.
- Sudden spikes in 500/DB error responses tied to the endpoint.
Mitigation and prioritisation
- Patch or upgrade to fixed version; apply vendor-supplied remediation promptly.
- Implement parameterised queries/prepared statements; enforce input validation on txtsearch.
- Restrict database privileges for the web app user; enable least-privilege access.
- Disable detailed error messages; bolster monitoring and alerting on DB errors.
- Change-management: test fixes in staging, then deploy with rollback plan.
- If KEV true or EPSS ≥ 0.5, treat as priority 1. If not, still prioritise due to PoC publicisation and remote access.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
