CVE-2025-10104: Event Judging System SQLi Vulnerability

CVE-2025-10104 Overview

A SQL Injection vulnerability has been identified in the Carmelo Online Event Judging System version 1.0. The vulnerability exists in the /review_search.php file, where the txtsearch parameter is susceptible to SQL injection attacks due to improper input validation. This flaw allows unauthenticated remote attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion.

Critical Impact
Remote attackers can exploit this SQL injection vulnerability to extract sensitive database information, bypass authentication mechanisms, or compromise the integrity of the judging system's data without requiring any prior authentication.

Affected Products

Carmelo Online Event Judging System 1.0
code-projects Online Event Judging System 1.0

Discovery Timeline

September 8, 2025 - CVE-2025-10104 published to NVD
November 13, 2025 - Last updated in NVD database

Technical Details for CVE-2025-10104

Vulnerability Analysis

This SQL injection vulnerability affects the search functionality within the Online Event Judging System. The vulnerable endpoint /review_search.php accepts user input through the txtsearch parameter without proper sanitization or parameterized query handling. When a user submits a search request, the application directly concatenates the input into SQL queries, creating an injection point that attackers can exploit.

The vulnerability falls under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically manifesting as a classic SQL injection attack vector. Due to the network-accessible nature of web applications and the lack of authentication requirements for the search functionality, this vulnerability can be exploited remotely by any attacker with network access to the application.

Root Cause

The root cause of this vulnerability is the failure to implement proper input validation and parameterized queries in the /review_search.php file. The txtsearch parameter is directly incorporated into SQL statements without sanitization, escaping, or the use of prepared statements. This coding practice violates secure development principles and allows attackers to inject arbitrary SQL commands.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious HTTP requests targeting the /review_search.php endpoint with specially crafted payloads in the txtsearch parameter. The vulnerability has been publicly disclosed, and exploit details are available, increasing the likelihood of exploitation attempts.

Successful exploitation may allow attackers to:

Extract sensitive data from the database including user credentials
Modify or delete database records
Bypass application authentication mechanisms
Potentially escalate to remote code execution depending on database configuration

The vulnerability can be exploited by sending crafted requests to the search endpoint where the txtsearch parameter contains SQL metacharacters and injection payloads. For detailed technical information, refer to the GitHub CVE Issue Discussion and VulDB #323070.

Detection Methods for CVE-2025-10104

Indicators of Compromise

Unusual or malformed HTTP requests to /review_search.php containing SQL syntax characters such as single quotes, double dashes, or UNION statements
Database error messages appearing in application logs or responses indicating SQL syntax errors
Unexpected database queries or access patterns in database audit logs
Evidence of data exfiltration or unauthorized database dumps

Detection Strategies

Deploy Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in the txtsearch parameter
Implement application-level logging to capture all requests to /review_search.php with full parameter values
Configure database query logging to identify anomalous or unauthorized SQL statements
Use intrusion detection systems (IDS) with signatures for SQL injection attack patterns

Monitoring Recommendations

Monitor web server access logs for requests containing SQL injection payloads targeting /review_search.php
Set up alerts for database errors or exceptions that may indicate injection attempts
Track unusual spikes in database queries or data access from the application
Implement real-time monitoring for any requests containing common SQL injection keywords such as UNION, SELECT, DROP, or comment sequences

How to Mitigate CVE-2025-10104

Immediate Actions Required

Restrict or disable access to the /review_search.php endpoint until a patch is applied
Deploy WAF rules to filter SQL injection attempts on the affected parameter
Review and audit database access logs for evidence of prior exploitation
If compromise is suspected, rotate database credentials and review data integrity

Patch Information

As of the last update on November 13, 2025, no official vendor patch has been released for this vulnerability. The code-projects Online Event Judging System is an open-source project, and users should monitor the Code Projects website for updates. Organizations using this software are advised to implement the workarounds below until an official fix is available.

Workarounds

Implement input validation on the txtsearch parameter to reject SQL metacharacters
Modify the application code to use prepared statements with parameterized queries
Deploy a Web Application Firewall (WAF) in front of the application with SQL injection detection rules
Restrict network access to the application to trusted IP ranges where possible
Consider disabling the search functionality entirely until the vulnerability is patched

bash

# Example WAF rule for ModSecurity to block SQL injection on txtsearch parameter
SecRule ARGS:txtsearch "@detectSQLi" \
    "id:100001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'SQL Injection attempt detected in txtsearch parameter',\
    tag:'CVE-2025-10104'"