CVE-2025-1224
Published: 12 February 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1224 is a SQL injection vulnerability classified as critical in the ywoa application versions up to 2024.07.03. It affects the listNameBySql function within the file com/cloudweb/oa/mapper/xml/UserMapper.xml. The issue, tied to CWE-74 and CWE-89, allows manipulation leading to unauthorized SQL execution.
The vulnerability enables remote exploitation with low complexity (AV:N/AC:L) and requires low privileges (PR:L), without user interaction (UI:N) and with unchanged scope (S:U). A successful attack can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), as scored at CVSS 6.3 (CVSS:3.1). An exploit has been publicly disclosed and may be actively used.
Advisories recommend upgrading to ywoa version 2024.07.04 to address the issue. Relevant details are available in references including Gitee issues at https://gitee.com/r1bbit/yimioa/issues/IBI731 and VulDB entries at https://vuldb.com/?ctiid.295210 and https://vuldb.com/?id.295210.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing OA web application's UserMapper.xml enables remote exploitation of public-facing application (T1190) and abuse of server software component for SQL command execution (T1505).