CVE-2025-0392
Published: 11 January 2025
Description
A vulnerability, which was classified as critical, was found in Guangzhou Huayi Intelligent Technology Jeewms up to 20241229. Affected is the function datagridGraph of the file /graphReportController.do. The manipulation of the argument store_code leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 20250101 is able to address this issue. It is recommended to upgrade the affected component.
Security Summary
CVE-2025-0392 is a SQL injection vulnerability classified as critical in Guangzhou Huayi Intelligent Technology's Jeewms application, affecting versions up to 20241229. The issue resides in the datagridGraph function within the /graphReportController.do file, where manipulation of the store_code argument enables the injection. It is remotely exploitable and associated with CWE-74 and CWE-89, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially enabling unauthorized data access, modification, or disruption via injected SQL queries.
Advisories recommend upgrading to Jeewms version 20250101 to mitigate the issue. The exploit has been publicly disclosed, as noted in references including VulDB entries and a Gitee issue tracker.
Details
- CWE(s)