CVE-2025-6267
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-10-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zhilink | adp_application_developer_platform | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6267 is a critical SQL injection vulnerability in version 1.0.0 of the ADP Application Developer Platform by zhilink 智互联(深圳)科技有限公司. It occurs in the /adpweb/a/base/barcodeDetail/ endpoint due to improper handling of input parameters barcodeNo, barcode, and itemNo. This allows an attacker to inject malicious SQL code remotely without authentication, potentially manipulating the database by extracting schema information and sensitive data through blind SQL injection techniques. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to compromise the confidentiality, integrity, and availability of the affected system. Specifically, attackers can extract database schema details, enumerate table names, and potentially access sensitive data stored in the database. This can lead to unauthorized data disclosure, data manipulation, and disruption of service. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /adpweb/a/base/barcodeDetail/ endpoint for SQL injection via the POST parameters barcodeNo, barcode, or itemNo. One method is to perform time-based blind SQL injection tests by sending payloads that induce delays, such as a POST request with barcodeNo containing a payload like 'and(select*from(select sleep(2))a union select 1)=' to observe response delays. For example, using curl: curl -X POST -d "barcodeNo='and(select*from(select sleep(2))a union select 1)='" https://target/adpweb/a/base/barcodeDetail/. Monitoring for increased response times indicates potential vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected ADP Application Developer Platform version 1.0.0 with an alternative solution, as no official patches or mitigations have been published by the vendor. Additionally, restricting access to the vulnerable endpoint, implementing web application firewalls (WAF) to detect and block SQL injection attempts, and applying input validation and sanitization on the barcodeNo, barcode, and itemNo parameters can help reduce risk. [1]