CVE Alert: CVE-2025-12238 - code-projects - Automated Voting System

CVE-2025-12238

MEDIUMNo exploitation knownPoC observed

A security flaw has been discovered in code-projects Automated Voting System 1.0. The affected element is an unknown function of the file /admin/user.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.

CVSS v3.1 (6.3)

Vendor

code-projects

Product

Automated Voting System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-27T06:32:06.192Z

Updated

2025-10-27T13:21:46.145Z

References

https://vuldb.com/?id.329908

https://vuldb.com/?ctiid.329908

https://vuldb.com/?submit.673719

https://github.com/xmqaq/cve/issues/8

https://code-projects.org/

AI Summary Analysis

Risk verdict: Remote SQL injection via /admin/user.php Username allows data access/modification with low preconditions; a public PoC exists, increasing urgency but KEV/EPSS-based priority depends on external scores.

Why this matters: The vulnerability can expose or corrupt voter-related data and undermine system integrity, with potential for data leakage and limited availability impact. Public exposure raises the likelihood of automated probing and brute-force attempts against web-facing components.

Most likely attack path: An attacker remotely crafts the Username parameter in a standard HTTP request to exploit SQL injection, aided by low attack complexity and no user interaction. Privileges required are low, and the impact is confined to the targeted database, with possible leakage of sensitive data or unauthorized modifications.

Who is most exposed: Deployments hosting the Automated Voting System’s web admin interface in internet-accessible or poorly segmented environments are most at risk, particularly organisations running 1.0 in DMZs or shared hosting without robust input sanitisation.

Detection ideas:

Anomalous or failed SQL errors in application and DB logs.
Unusual or crafted Username values in login/admin requests.
Increased DB query latency or failed authentication attempts tied to user.php endpoints.
WAF alerts for injection patterns in query strings.
IOCs from external advisories or public exploit discussions.

Mitigation and prioritisation:

Apply the vendor patch or upgrade to a fixed release; enforce parameterised queries.
Implement input validation and prepared statements around Username; prune dynamic SQL.
Deploy web application firewall rules targeting SQLi payloads; restrict admin interface access.
Network segmentation and strict access controls for admin endpoints; monitor and alert on anomalous admin traffic.
Change-management: test in staging, then phase in patching; if KEV true or EPSS ≥ 0.5, treat as priority 1.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: automated-voting-system, code-projects, CVE, cve-2025-12238, OSINT, threatintel