Introduction
A vulnerability identified by Nils Putnins (researcher of NCSC) allows an attacker to access services without any authentication required.
- CVSS Score: 8.6 (High)
- CVE: CVE-2025-26852
- Vulnerability Type: SQL Injection
- Product affected: Infocad Web Application
- Versions affected: Infocad Web Application <= v3.5.1.0
- Version fixed: Infocad Web Application v3.5.2.0
- Affected component: Web services
Vulnerability details
SQL Injection is a type of security vulnerability that occurs when an attacker inserts malicious SQL code into an input field of a web application. This allows the attacker to manipulate the application’s database queries, potentially gaining unauthorized access to sensitive data, modifying or deleting records, or even taking control of the database server.
Impact analysis
A malicious user can use the application to perform any functionality the database user has available. This includes querying, writing and deleting data that is accessible by the database account used by the web application.
Mitigation and remediations
A fix was deployed as part of Infocad Web Application v3.5.2.0. The application now uses parameterized queries and input validation controls properly configured within the software.
Acknowledgments
Descor would like to acknowledge and thank Nils Putnins for uncovering and reporting the vulnerability.
Timeline of events
- 2024-09-06: Vulnerability reported by security researcher
- 2024-10-14: Vulnerability analysis and acknowledgement to security researcher
- 2024-10-30: A fix is published as part of Infocad Web Application v3.5.2.0
- 2025-01-16: CVE requested
- 2025-02-16: CVE issued and incident page published
Current status:
1. Try first to reproduce the issue.
2. Acknowledge to the reporter.
3. Get a fix/patch prepared.
4. Release new version.
5. Prepare a report about the issue.
6. Feature the problem in an incident page.
Last updated: 2025-03-28 00:30:00 CET