CVE-2025-12328 – This SQL injection vulnerability in shawon100 R... (How to Fix)

Q: What is the severity of CVE-2025-12328?

CVE-2025-12328 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in shawon100 RUET OJ allows attackers to manipulate database queries via the Name parameter in /contestproblem.php. Attackers can potentially read, modify, or delete database content. All instances running affected code commits up to 18fa45b0a669fa1098a0b8fc629cf6856369d9a5 are vulnerable.

📋 TL;DR

This SQL injection vulnerability in shawon100 RUET OJ allows attackers to manipulate database queries via the Name parameter in /contestproblem.php. Attackers can potentially read, modify, or delete database content. All instances running affected code commits up to 18fa45b0a669fa1098a0b8fc629cf6856369d9a5 are vulnerable.

💻 Affected Systems

Products:

shawon100 RUET OJ

Versions: All versions up to commit 18fa45b0a669fa1098a0b8fc629cf6856369d9a5

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Rolling release model means no specific version numbers; identified by commit hash. All deployments using vulnerable code are affected.

📦 What is this software?

Ruet Oj by Shawonruet

View all CVEs affecting Ruet Oj →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, or potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, privilege escalation, or data corruption through SQL injection.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit is publicly available but requires understanding of SQL injection techniques. Attack vector is remote.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider implementing parameterized queries and input validation in /contestproblem.php.

🔧 Temporary Workarounds

Implement Input Validation

all

Add strict input validation for the Name parameter to only allow expected characters

Use Parameterized Queries

all

Replace direct string concatenation with prepared statements in PHP code

🧯 If You Can't Patch

Implement WAF rules to block SQL injection patterns targeting /contestproblem.php
Restrict network access to the application using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check if your RUET OJ instance uses code from commit 18fa45b0a669fa1098a0b8fc629cf6856369d9a5 or earlier. Review /contestproblem.php for direct SQL concatenation with Name parameter.

Check Version:

git log --oneline -1

Verify Fix Applied:

Test the Name parameter with SQL injection payloads; successful queries should be blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or parameter manipulation in web logs

Network Indicators:

HTTP requests to /contestproblem.php with SQL keywords in parameters

SIEM Query:

source=web_logs AND uri_path="/contestproblem.php" AND (param="Name" AND value MATCHES "(?i)(SELECT|UNION|INSERT|DELETE|DROP|--|;)")

📊 Metadata

CVE ID: CVE-2025-12328

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (9.7th percentile)

Published: October 27, 2025

Last Updated: November 4, 2025

🔗 References

https://vuldb.com/?ctiid.330105 Permissions Required,VDB Entry
https://vuldb.com/?id.330105 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.674399 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12328, you might also want to check these: