CVE-2025-25426
Published: 04 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-25426 is a SQL injection vulnerability (CWE-89) affecting yshopmall versions up to and including v1.9.0, specifically in the image listing interface. Published on 2025-03-04, it has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
The vulnerability can be exploited over the network by authenticated attackers with high privileges (PR:H), requiring low attack complexity and no user interaction. Successful exploitation allows arbitrary SQL query execution, enabling attackers to read sensitive data, modify database contents, or disrupt service availability within the affected yshopmall instance.
Mitigation details are referenced in advisories at https://gist.github.com/Catherines77/79e6b69490b085d9c2d96c99e72c3579 and https://github.com/guchengwuyue/yshopmall/issues/34, which point to the yshopmall GitHub repository for further discussion and potential patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in network-accessible web app (yshopmall image listing) directly enables T1190 exploitation; arbitrary SQL queries facilitate T1213.006 database data access, with modification/disruption as secondary impacts.