CVE-2025-6116
BaseFortify
Publication date: 2025-06-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| das | parking_management_system | 6.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6116 is a critical SQL injection vulnerability in Das Parking Management System version 6.2.0, specifically in the API endpoint /IntraFieldVehicle/Search. The vulnerability occurs because the 'Value' parameter is not properly sanitized, allowing an attacker to inject malicious SQL code remotely without authentication. This can lead to unauthorized access and retrieval of sensitive data by manipulating the SQL queries executed by the system. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive user data, compromise of the confidentiality, integrity, and availability of the system, and potential full control over the affected database. Since the attack can be performed remotely without authentication, it poses a high security risk, potentially leading to data breaches and disruption of parking management services. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the API endpoint /IntraFieldVehicle/Search for SQL injection via the 'Value' parameter. You can use tools like curl or sqlmap to send crafted requests to the endpoint and observe if SQL errors or unexpected data are returned. For example, using curl: curl -X GET 'http://<target>/IntraFieldVehicle/Search?Value=' OR '1'='1' -- to check for SQL injection behavior. Alternatively, sqlmap can be used to automate detection: sqlmap -u 'http://<target>/IntraFieldVehicle/Search?Value=test' --batch. Monitoring network traffic for suspicious requests targeting this endpoint with unusual parameter values can also help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint /IntraFieldVehicle/Search, such as implementing network-level controls (firewalls, IP whitelisting) to limit exposure. Since no known mitigations or patches are documented, consider disabling or removing the affected API if possible. Monitoring and blocking suspicious requests targeting the 'Value' parameter can reduce risk. Ultimately, replacing the affected product or upgrading to a version without this vulnerability is recommended once available. [2]