CVE-2025-22964
Published: 15 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-22964 is an unauthenticated time-based blind SQL injection vulnerability in DDSN Interactive cm3 Acora CMS version 10.1.1. The flaw arises from insufficient input sanitization and validation in the "table" parameter, which allows attackers to inject malicious SQL queries directly into database operations without proper escaping or parameterization. This CWE-89 issue was published on 2025-01-15 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to impacts on confidentiality and integrity.
Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables unauthorized access to the database, manipulation of data, or exposure of sensitive information, thereby compromising the application's integrity and confidentiality while having no direct impact on availability (A:N).
For details on mitigation, patches, or workarounds, refer to the advisory at https://github.com/padayali-JD/CVE-2025-22964.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated time-based blind SQL injection vulnerability in a public-facing CMS enables exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases (T1213.006) through malicious SQL queries, allowing exposure and manipulation of sensitive information.