exploitDog

CVE-2025-56385

Опубликовано: 12 нояб. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.

Ссылки

http://harmony.com
Broken Link
http://wellsky.com
Product
https://machevalia.blog/blog/cve-2025-56385-wellsky-harmony-sql-injection
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wellsky:harmony:4.1.0.2.83:*:*:*:*:*:*:*

EPSS

Процентиль: 35%

0.00143

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-89

Связанные уязвимости

GHSA-rmrc-468w-2mpr

CVSS3: 9.8

github

3 месяца назад

A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.

EPSS

Процентиль: 35%

0.00143

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-89