CRITICAL🇵🇱 Wersja polska

CVE-2025-0585

CVSS 9.8v3.1pub. 2025-01-20upd. 2025-11-17

The a+HRD from aEnrich Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

🤖 AI Analysis
How it works

An attacker can inject arbitrary SQL commands directly into queries executed by the application by sending appropriately crafted requests to the remote system. The application does not perform sufficient validation or sanitization of input data before passing it to the database engine. As a result, malicious SQL commands are executed with the privileges of the database account used by the application.

Impact

An attacker can read, modify, and delete the contents of the HR and payroll system database, which may lead to the disclosure of sensitive employee data, data integrity violations, and complete destruction of database resources.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references published by TWCERT: https://www.twcert.org.tw/en/cp-139-8373-91edc-2.html. Additionally, it is recommended to restrict network access to the application only to trusted IP addresses and implement firewall rules blocking unauthorized access from external networks.

Who is affected

The A+HRD application from aEnrich Technology — specific versions indicated in the manufacturer's references (TWCERT)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Aenrich A\+hrd

    APP
    Aenrich
    ≤ 7.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-12870CRITICAL9.3PL ✓ten sam produkt

Authentication Abuse w aEnrich a+HRD — przejęcie tokenu administratora

CVE-2025-12871CRITICAL9.3PL ✓ten sam produkt

Aenrich A+HRD – obejście uwierzytelnienia przez fałszywe tokeny administratora

CVE-2023-20852CRITICAL9.8ten sam produkt

aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ interpreter....

CVE-2023-20853CRITICAL9.8ten sam produkt

aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ asynchronize...

CVE-2022-39041CRITICAL9.8ten sam produkt

aEnrich a+HRD has insufficient user input validation for specific API parameter. An unauthenticated remote att...