CVE-2025-34038

Sažetak

A SQL injection vulnerability exists in Fanwei e-cology 8.0 and prior via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes.

Reference

https://vulncheck.com/advisories/fanwei-e-cology-sql-injection
https://www.cnblogs.com/0day-li/p/14637680.html
https://www.cnvd.org.cn/flaw/show/CNVD-2021-33202
https://www.weaver.com.cn/

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

24-06-2025 - 02:15

Objavljeno

24-06-2025 - 02:15