CVE-2025-1958
Published: 04 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1958 is a critical SQL injection vulnerability in aaluoxiang oa_system version 1.0, affecting the processing of the file src/main/resources/mappers/address-mapper.xml. The flaw arises from improper handling of the 'outtype' argument, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-04.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction. Manipulation of the 'outtype' argument enables SQL injection, potentially allowing limited impacts on confidentiality, integrity, and availability as per the CVSS metrics.
Advisories are available via VulDB (ctiid.298559, id.298559, submit.510750) and GitHub repositories detailing the exploit. The exploit has been publicly disclosed and may be used, but no specific patches or mitigations are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing OA system web app (address-mapper.xml 'outtype' parameter) enables exploitation of public-facing applications (T1190), database data collection (T1213.006), and server software component abuse (T1505 per VulDB).