CVE-2025-0462
Published: 14 January 2025
Description
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.
Security Summary
CVE-2025-0462 is a SQL injection vulnerability (CWE-74, CWE-89) in Shanghai Lingdang Information Technology's Lingdang CRM versions up to 8.6.0.0. The flaw affects the processing of the /crm/weixinmp/index.php?userid=123&module=Users&usid=1&action=UsersAjax&minipro_const_type=1 endpoint, where manipulation of the searchcontent argument enables injection. Published on 2025-01-14, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges can exploit this remotely by crafting malicious searchcontent input, potentially achieving limited impacts on confidentiality, integrity, and availability through unauthorized SQL operations.
VulDB advisories (ctiid.291479, id.291479, submit.474254) and a GitHub document (BxYQ/ld/blob/main/ListView_SQL.doc) detail the issue, including a publicly disclosed exploit. The vendor was contacted early but provided no response, and no patches or official mitigations are available. Security practitioners should restrict access to the affected endpoint and monitor for anomalous database queries.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in Lingdang CRM (customer relationship management software) enables exploitation of a public-facing web application (T1190) and facilitates collection of data from CRM repositories (T1213.004).