CVE-2025-0786
Published: 28 January 2025
Description
A vulnerability was found in ESAFENET CDG V5. It has been classified as critical. Affected is an unknown function of the file /appDetail.jsp. The manipulation of the argument flowId leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-0786 is a SQL injection vulnerability (CWE-74, CWE-89) in ESAFENET CDG V5, affecting an unknown function within the file /appDetail.jsp. The issue arises from manipulation of the flowId argument, enabling remote SQL injection attacks. Published on 2025-01-28, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by authenticated attackers with low privileges. No user interaction is required, and the low attack complexity allows for straightforward exploitation, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access or modification.
VulDB advisories and a related GitHub report detail the vulnerability, noting that the exploit has been publicly disclosed and may be used. The vendor was contacted early regarding the issue but provided no response, and no patches or specific mitigations are referenced.
The exploit disclosure increases the risk of active use in the wild, though no confirmed real-world exploitation is reported.
Details
- CWE(s)