CVE-2025-1981 PUBLISHED

SQL Injection in Ready_

Assigner: CERT-PL
Reserved: 05.03.2025 Published: 16.04.2025 Updated: 16.04.2025

Improper neutralization of input provided by a low-privileged user into a file search functionality in Ready_'s Invoices module allows for SQL Injection attacks.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Product Status

Vendor Symfonia
Product Ready_
Versions Default: unaffected
  • affected from 7.0.0.0 to 7.19.39.23 (incl.)
  • affected from 8.0.0.0 to 8.0.2.3 (incl.)

Credits

  • Maksymilian Kubiak, Sławomir Zakrzewski, Jakub Stankiewicz - Afine Team finder

References

Problem Types

  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE

Impacts

  • CAPEC-66 SQL Injection