CVE-2025-1751
Published: 27 February 2025
Description
A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.
Security Summary
CVE-2025-1751 is a SQL injection vulnerability (CWE-89) affecting Ciges version 2.15.5 from ATISoluciones. The issue exists in the $idServicio parameter within the /modules/ajaxBloqueaCita.php endpoint, allowing attackers to execute arbitrary SQL queries that can retrieve, create, update, or delete database content. Published on 2025-02-27, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.
An unauthenticated attacker with network access can exploit this vulnerability remotely with low attack complexity and no user interaction. Exploitation enables complete database manipulation, including data extraction, insertion, modification, or deletion, potentially leading to full compromise of the affected application and its data.
Mitigation details are available in the vendor advisory at https://www.atisoluciones.com/incidentes-cve.
Details
- CWE(s)