CVE-2025-10102 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Online Event Judging System, specifically within an unspecified function in the /index.php file. The vulnerability arises from improper sanitization or validation of the 'Username' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring any user interaction or privileges. The CVSS 4.0 base score of 6.9 (medium severity) reflects the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability does not affect system confidentiality, integrity, or availability completely but can lead to unauthorized data access, data modification, or partial disruption of service. Although no public exploit is currently known to be actively used in the wild, proof-of-concept code has been released, increasing the risk of exploitation. The affected product is an online event judging system, which is likely used by organizations to manage and score events or competitions. The vulnerability in the core authentication or user input handling component could allow attackers to extract sensitive user data, manipulate event results, or disrupt event operations remotely, potentially undermining trust and operational integrity of the affected systems.

For European organizations using the code-projects Online Event Judging System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of event-related data. Attackers exploiting this flaw could gain unauthorized access to user credentials, manipulate judging scores, or extract sensitive participant information. This could lead to reputational damage, loss of trust among event participants, and potential legal consequences under GDPR due to unauthorized data exposure. The availability impact, while partial, could disrupt event operations, causing delays or cancellations. Given that the exploit requires no authentication or user interaction and can be executed remotely, the threat is substantial, especially for organizations relying on this system for critical event management. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise but still warrants urgent attention to prevent data breaches or operational disruptions.

Organizations should immediately assess their use of the code-projects Online Event Judging System version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement input validation and parameterized queries or prepared statements to sanitize the 'Username' input and prevent SQL injection. Employ web application firewalls (WAFs) configured to detect and block SQL injection patterns targeting the /index.php endpoint. Conduct thorough code reviews and penetration testing focusing on user input handling. Restrict database permissions for the application to the minimum necessary to limit the impact of potential exploitation. Monitor logs for suspicious activities related to SQL injection attempts and unusual database queries. Additionally, consider isolating the judging system within a segmented network zone to reduce exposure. Finally, prepare an incident response plan to quickly address any exploitation attempts.