CVE-2025-0792
Published: 29 January 2025
Description
A vulnerability, which was classified as critical, was found in ESAFENET CDG V5. Affected is an unknown function of the file /sdTodoDetail.jsp. The manipulation of the argument flowId leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-0792 is a critical SQL injection vulnerability (CWE-74, CWE-89) in ESAFENET CDG V5, affecting an unknown function within the file /sdTodoDetail.jsp. The flaw is triggered by manipulation of the flowId argument, enabling SQL injection attacks. It was published on 2025-01-29 and carries a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by attackers possessing low privileges, such as authenticated users with basic access. Exploitation requires low complexity and no user interaction, allowing limited impacts: low confidentiality (partial data exposure), integrity (minor modifications), and availability (slight service disruption).
Advisories from VulDB and a detailed GitHub report detail the proof-of-concept exploit, which has been publicly disclosed and may be actively used. The vendor was notified early regarding the issue but provided no response, leaving no official patches or mitigation steps documented in the available references.
Details
- CWE(s)