Skip to main content

CVE-2025-8237: SQL Injection in code-projects Exam Form Submission

Medium
VulnerabilityCVE-2025-8237cvecve-2025-8237
Published: Sun Jul 27 2025 (07/27/2025, 18:02:05 UTC)
Source: CVE Database V5
Vendor/Project: code-projects
Product: Exam Form Submission

Description

A vulnerability was found in code-projects Exam Form Submission 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/update_s1.php. The manipulation of the argument credits leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 07/27/2025, 18:32:40 UTC

Technical Analysis

CVE-2025-8237 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Exam Form Submission application. The vulnerability resides in the /admin/update_s1.php file, specifically in the handling of the 'credits' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially compromising the backend database. The vulnerability does not require any authentication or user interaction, making it accessible for remote exploitation. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the ease of exploitation (network accessible, no privileges or user interaction needed) but with limited impact on confidentiality, integrity, and availability (low to limited impact). The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The lack of available patches or mitigations from the vendor increases the risk for organizations using this software. SQL Injection vulnerabilities can allow attackers to read, modify, or delete database contents, potentially leading to data breaches, unauthorized data manipulation, or denial of service. Given the vulnerability affects an administrative endpoint, successful exploitation could lead to significant unauthorized access or data integrity issues within the affected system.

Potential Impact

For European organizations using code-projects Exam Form Submission 1.0, this vulnerability poses a risk of unauthorized database access and manipulation. Educational institutions or certification bodies relying on this software for exam form processing could face data breaches involving sensitive student or candidate information. The integrity of exam records could be compromised, undermining trust and compliance with data protection regulations such as GDPR. Although the CVSS score is medium, the critical nature of exam data and administrative access elevates the potential impact. Disruption or manipulation of exam data could lead to operational downtime, reputational damage, and legal consequences. Additionally, if the compromised database contains personal data, organizations may face regulatory fines. The remote and unauthenticated nature of the vulnerability increases the attack surface, especially if the administrative interface is exposed to the internet or insufficiently protected by network controls.

Mitigation Recommendations

Organizations should immediately assess whether they use code-projects Exam Form Submission version 1.0 and restrict access to the /admin/update_s1.php endpoint to trusted internal networks only. Implementing web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the 'credits' parameter can provide a temporary defense. Input validation and parameterized queries should be enforced in the application code to eliminate SQL injection vectors; if source code access is available, developers must remediate the vulnerable code. In the absence of vendor patches, consider isolating the affected system from the internet and enforcing strict network segmentation. Regularly monitor logs for suspicious activity related to the vulnerable endpoint. Conduct security audits and penetration testing focused on injection vulnerabilities. Finally, prepare an incident response plan to quickly address any exploitation attempts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-07-26T13:44:03.058Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68866d4aad5a09ad007613e4

Added to database: 7/27/2025, 6:17:46 PM

Last enriched: 7/27/2025, 6:32:40 PM

Last updated: 7/30/2025, 12:34:40 AM

Views: 7

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats