CVE Alert: CVE-2025-12252 - code-projects - Online Event Judging System

CVE-2025-12252

MEDIUMNo exploitation knownPoC observed

A vulnerability was found in code-projects Online Event Judging System 1.0. Affected is an unknown function of the file /ajax/action.php. The manipulation of the argument content results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

CVSS v3.1 (6.3)

Vendor

code-projects

Product

Online Event Judging System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-27T08:32:11.065Z

Updated

2025-10-27T16:41:35.083Z

References

https://vuldb.com/?id.329923

https://vuldb.com/?ctiid.329923

https://vuldb.com/?submit.673953

https://github.com/xmqaq/cve/issues/10

https://code-projects.org/

AI Summary Analysis

Risk verdict

Medium-high risk due to a publicly disclosed SQL injection with a PoC, exploitable over the network and requiring only low-privilege authentication; urgency is warranted for exposed deployments.

Why this matters

Successful exploitation can lead to unauthorised data access, alteration of judging results, or leakage of user information. In a live event environment, even small data integrity or reputational losses can disrupt competition timelines and erode trust.

Most likely attack path

Attacker authenticates with low privileges, targets the /ajax/action.php endpoint, and injects crafted content to induce SQLi. The vulnerability enables remote abuse with no user interaction, potentially allowing data exfiltration or tampering within the judging database and limited lateral movement within the application’s data layer.

Who is most exposed

Web-hosted online judging systems—especially those deployed with internet exposure and shared database credentials—are at greatest risk. Universities, coding platforms, and event organisers using exposed instances are common patterns likely affected.

Detection ideas

Unusual or malformed SQL patterns in the content parameter of action.php requests
Spikes in network requests to /ajax/action.php with anomalous payloads
Database error messages or elevated error counts related to content handling
Unexpected data reads/writes or score/table modifications
Repeated login attempts from clusters targeting the endpoint

Mitigation and prioritisation

Apply vendor patch or remediation to fix the SQL injection; verify fix in staging before production.
Enforce least-privilege DB access and separate credentials for webApp DB user.
Parameterise queries, validate and constrain the content parameter; disable or sanitise dynamic content fields.
Implement WAF/IPS rules to block SQLi patterns in user-supplied content.
Schedule patching with change-management, monitor post-deployment for anomalous activity.
Treat as priority 2 (PoC present; no KEV/EPSS data provided).

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon