CVE-2025-11667 – This SQL injection vulnerability in Automated V... (How to Fix)

Q: What is the severity of CVE-2025-11667?

CVE-2025-11667 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in Automated Voting System 1.0 allows attackers to manipulate database queries through the 'firstname' parameter in the admin interface. Remote attackers can potentially access, modify, or delete voting system data. Organizations using this software for elections or polls are affected.

📋 TL;DR

This SQL injection vulnerability in Automated Voting System 1.0 allows attackers to manipulate database queries through the 'firstname' parameter in the admin interface. Remote attackers can potentially access, modify, or delete voting system data. Organizations using this software for elections or polls are affected.

💻 Affected Systems

Products:

code-projects Automated Voting System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the admin interface to be accessible; vulnerability exists in default installation.

📦 What is this software?

Automated Voting System by Fabian

View all CVEs affecting Automated Voting System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of voting database including voter records, candidate information, and election results; potential for election manipulation or data destruction.

🟠

Likely Case

Unauthorized access to sensitive voting data, modification of candidate information, or disruption of voting operations.

🟢

If Mitigated

Limited impact with proper input validation and database permissions preventing data modification.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects admin functionality that may be exposed online.

🏢 Internal Only: MEDIUM - Even internally, the vulnerability could be exploited by malicious insiders or through lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub; requires admin access to reach the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries or input validation in /admin/add_candidate_modal.php.

🔧 Temporary Workarounds

Input Validation and Sanitization

PHP

Add server-side validation to sanitize 'firstname' parameter before database queries.

Edit /admin/add_candidate_modal.php to implement mysqli_real_escape_string() or prepared statements

Access Restriction

all

Restrict access to admin interface using IP whitelisting or additional authentication.

Add .htaccess rules or firewall rules to limit /admin/ directory access

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Disable or remove the vulnerable /admin/add_candidate_modal.php file if functionality not required

🔍 How to Verify

Check if Vulnerable:

Test the /admin/add_candidate_modal.php endpoint with SQL injection payloads in the 'firstname' parameter.

Check Version:

Check software version in admin panel or configuration files.

Verify Fix Applied:

Attempt SQL injection after implementing fixes; verify database queries use parameterized statements.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin interface
Unexpected modifications to candidate tables

Network Indicators:

SQL injection patterns in HTTP POST requests to /admin/add_candidate_modal.php
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/add_candidate_modal.php" AND (payload CONTAINS "' OR" OR payload CONTAINS "UNION" OR payload CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2025-11667

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: October 13, 2025

Last Updated: October 17, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/daminqaq/damin-CVE/issues/1 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.328087 Permissions Required,VDB Entry
https://vuldb.com/?id.328087 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.673203 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11667, you might also want to check these: