CRITICAL🇵🇱 Wersja polska

CVE-2025-26852

CVSS 10.0v3.1pub. 2025-03-20upd. 2025-04-23

DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 allows SQL Injection.

🤖 AI Analysis
How it works

The vulnerability consists of improper validation or lack of parameterization of input data passed to SQL queries (CWE-89). An attacker can inject arbitrary SQL code over the network without needing to have an account in the system. Due to the changed scope (Scope: Changed in the CVSS vector), exploitation can affect resources beyond the directly attacked component, such as other databases or systems sharing the environment.

Impact

An attacker can gain full access to data stored in the database (confidentiality), modify or delete data (integrity), and potentially cause system unavailability or execute commands at the database server level (availability).

Mitigation & patch

Descor Infocad must be updated immediately to version 3.5.2.0, in which the vulnerability has been fixed. Detailed information is available in the vendor's changelog at https://www.infocadfm.com/changelog/sql-injection/

Who is affected

Descor Infocad in version 3.5.1 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Descor Infocad

    APP
    Descor
    < 3.5.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-26853CRITICAL10.0PL ✓ten sam produkt

Descor Infocad — złamany schemat autoryzacji (CVSS 10.0)

CVE-2018-13789HIGH7.5ten sam vendor

An issue was discovered in Descor Infocad FM before 3.1.0.0. An unauthenticated web service allows the retriev...