CVE-2025-0789
Published: 28 January 2025
Description
A vulnerability classified as critical has been found in ESAFENET CDG V5. This affects an unknown part of the file /doneDetail.jsp. The manipulation of the argument flowId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-0789 is a critical SQL injection vulnerability in ESAFENET CDG V5, specifically affecting an unknown functionality within the /doneDetail.jsp file. The issue arises from improper handling of the 'flowId' parameter, which an attacker can manipulate to inject malicious SQL code. Classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity despite the critical label.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption through SQL injection. The exploit has been publicly disclosed and is available for use, increasing the risk of active attacks.
Advisories from VulDB (ctiid.293913, id.293913, submit.483342) and a GitHub report detail the vulnerability, including proof-of-concept exploitation steps in /doneDetail.md. The vendor was notified early but has not responded or issued any patches, leaving affected systems without official mitigations; practitioners should implement input validation, parameterized queries, or restrict access to the endpoint as interim measures.
Details
- CWE(s)