CVE-2025-1840
Published: 03 March 2025
Description
A vulnerability was found in ESAFENET CDG 5.6.3.154.205. It has been rated as critical. Affected by this issue is some unknown functionality of the file /CDGServer3/workflowE/useractivate/updateorg.jsp. The manipulation of the argument flowId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-1840 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting ESAFENET CDG version 5.6.3.154.205. The issue resides in an unknown functionality of the file /CDGServer3/workflowE/useractivate/updateorg.jsp, where manipulation of the flowId argument triggers the injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-03.
The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Exploitation via crafted flowId manipulation enables limited impacts on confidentiality, integrity, and availability through SQL injection.
Advisories and exploit details are available via VulDB (https://vuldb.com/?ctiid.298106, https://vuldb.com/?id.298106, https://vuldb.com/?submit.504384) and a GitHub report (https://github.com/Rain1er/report/blob/main/CDG/dXBkYXRlb3JnLmpzcA%3D%3D.md). The exploit has been publicly disclosed and may be used, with no specific patch or mitigation guidance detailed in the provided references.
Details
- CWE(s)