CVE-2025-0333
Published: 09 January 2025
Description
A vulnerability, which was classified as critical, was found in leiyuxi cy-fast 1.0. Affected is the function listData of the file /sys/role/listData. The manipulation of the argument order leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-0333 is a critical SQL injection vulnerability in leiyuxi cy-fast version 1.0, affecting the listData function in the /sys/role/listData file. The issue arises from manipulation of the 'order' argument, enabling attackers to inject malicious SQL payloads. It has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 and CWE-89. The vulnerability was published on 2025-01-09.
The attack is remotely exploitable over the network with low complexity and requires low privileges (PR:L), such as an authenticated user account, but no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling data exfiltration, modification, or disruption through SQL injection. An exploit has been publicly disclosed and may be used by attackers.
Advisories and additional details are available in referenced sources, including VulDB entries (vuldb.com/?ctiid.290820, vuldb.com/?id.290820, vuldb.com/?submit.475297) and a GitHub repository containing exploit information (github.com/d3do-23/cvelist/blob/main/cy-fast/sqli1.md). No specific patch or mitigation details are provided in the CVE description.
Details
- CWE(s)