CVE-2025-1820
Published: 02 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1820 is a critical SQL injection vulnerability affecting zj1983 zz versions up to 2024-8. The issue resides in the getOaWid function within the file src/main/java/com/futvan/z/system/zworkflow/ZworkflowAction.java, where manipulation of the tableId argument enables SQL injection. This flaw, classified under CWE-74 and CWE-89, carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely.
An attacker with low-privileged user access (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption through injected SQL payloads.
Advisories from VulDB and GitHub repositories detail the vulnerability, noting that the exploit has been publicly disclosed and may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or mitigations are mentioned in the available references. Security practitioners should isolate affected systems and monitor for anomalous database queries until updates are available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in web application (ZworkflowAction.java) enables exploitation of public-facing application (T1190), abuse of server software component (T1505 as cited by VulDB), and data collection from databases via arbitrary SQL queries (T1213.006).