CVE-2025-8174 is a vulnerability identified in version 1.0 of the code-projects Voting System, specifically within the /admin/candidates_add.php file. The vulnerability arises from improper handling of the 'photo' argument, which allows an attacker to perform an unrestricted file upload. This means that an attacker can upload arbitrary files, potentially including malicious scripts or executables, without sufficient validation or restrictions. The vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:L/UI:N). The CVSS score of 5.3 (medium severity) reflects that while the attack vector is network-based and requires low attack complexity, it does require some level of privileges (PR:L) but no user interaction. The impact on confidentiality, integrity, and availability is low, but the unrestricted upload could be leveraged to execute arbitrary code or escalate privileges if combined with other vulnerabilities or misconfigurations. No public exploits are currently known in the wild, but the exploit details have been disclosed publicly, increasing the risk of future exploitation. The vulnerability affects only version 1.0 of the Voting System product from code-projects, which is typically used to manage voting processes, candidate information, and related administrative functions.

For European organizations using the affected Voting System 1.0, this vulnerability poses a risk of unauthorized file uploads that could lead to remote code execution or website defacement. Given that voting systems are critical for democratic processes, exploitation could undermine the integrity and trustworthiness of election management platforms. Even if direct election manipulation is unlikely, attackers could use the vulnerability to gain a foothold in the system, pivot to other internal resources, or disrupt availability. The medium CVSS score suggests moderate risk, but the critical nature of voting systems elevates the potential impact beyond typical web application vulnerabilities. Organizations involved in local or organizational elections, political parties, or civic engagement platforms using this software could face reputational damage, data breaches, or service disruptions. Additionally, the lack of patches and public exploit disclosure increases urgency for mitigation.

1. Immediate upgrade or replacement: Organizations should upgrade to a patched version of the Voting System if available or migrate to alternative, secure voting platforms. 2. Implement strict file upload controls: If upgrading is not immediately possible, apply web application firewall (WAF) rules to restrict file types, sizes, and upload locations, and block execution of uploaded files in the upload directory. 3. Restrict access to the /admin/candidates_add.php endpoint: Limit access to trusted administrators via IP whitelisting or VPN to reduce exposure. 4. Monitor logs and file system: Continuously monitor upload directories and web server logs for suspicious activity or unexpected file uploads. 5. Harden server configurations: Disable execution permissions on upload directories and enforce least privilege principles on web server processes. 6. Conduct security assessments: Perform penetration testing and code reviews to identify and remediate similar vulnerabilities. 7. Educate administrators: Train system administrators on secure file upload practices and incident response procedures.