CVE Alert: CVE-2025-12262 - code-projects - Online Event Judging System

CVE-2025-12262

MEDIUMNo exploitation knownPoC observed

A vulnerability was determined in code-projects Online Event Judging System 1.0. This impacts an unknown function of the file /edit_criteria.php. Executing manipulation of the argument crit_id can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.

CVSS v3.1 (6.3)

Vendor

code-projects

Product

Online Event Judging System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-10-27T10:32:05.934Z

Updated

2025-10-27T13:22:24.941Z

References

https://vuldb.com/?id.329933

https://vuldb.com/?ctiid.329933

https://vuldb.com/?submit.674056

https://github.com/anyizilegong/cve/issues/1

https://code-projects.org/

AI Summary Analysis

Risk verdict

Medium risk overall, with a publicly disclosed PoC enabling remote SQL injection; treat as urgent to assess and patch.

Why this matters

Compromise could allow an attacker to read or modify judging criteria, potentially altering contest outcomes or exfiltrating data. Even with a partial impact profile, exploitation could undermine contest integrity and erode user trust; rapid remediation reduces risk of wider loss of data confidence.

Most likely attack path

Remote attacker targets /edit_criteria.php by supplying crafted crit_id; unsanitised input leads to SQL injection (no UI interaction required). The vulnerability is network-accessible with low-privilege DB access, increasing feasibility of data exposure or manipulation. Lateral movement would depend on the compromised DB user’s reach and how broadly the affected queries interact with other system components.

Who is most exposed

Web-hosted deployments of code-projects’ Online Event Judging System, common on public internet-facing servers using relational databases (e.g., MySQL/MariaDB) on standard LAMP/LEMP stacks.

Detection ideas

Logs show anomalous crit_id values or SQL error messages from edit_criteria.php.
Unusual or failed SQL queries corresponding to the vulnerable parameter.
WAF/IDS alerts for SQL injection patterns targeting the endpoint.
Spike in database query load or abnormal data access patterns from contest-related tables.
Unauthorized access attempts from unfamiliar IPs attempting the parameter.

Mitigation and prioritisation

Apply vendor patch or upgrade to a fixed release; validate in staging before production.
Implement input validation and parameterised queries for crit_id; enforce strict data types.
Apply least-privilege DB access for the web app user; disable detailed error messaging.
Enable WAF rules targeting SQL injection on the affected endpoint; monitor and alert on related attempts.
Schedule patching during a low-traffic window; document change-management and perform post-deployment validation. If KEV or EPSS indicators become positive, escalate to priority 1.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: code-projects, CVE, cve-2025-12262, online-event-judging-system, OSINT, threatintel