CVE-2025-34059
BaseFortify
Publication date: 2025-07-01
Last updated on: 2025-11-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an SQL injection flaw in the Dahua Smart Cloud Gateway Registration Management Platform. It occurs because the application does not properly sanitize the username parameter in the /index.php/User/doLogin endpoint. This allows unauthenticated attackers to inject arbitrary SQL statements into the database queries, potentially manipulating or disclosing sensitive information. [2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized access to or manipulation of the database, including data leakage, tampering, or destruction. Although attackers can manipulate database content, attempts to gain system-level shell access or write webshells have failed due to MySQL security restrictions. Therefore, the primary impact is on the confidentiality and integrity of the database information. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected using network scanning tools such as the Nuclei scan engine. A proof-of-concept payload for testing the SQL injection is injecting a string like `1') and updatexml(1,concat(0x7e,user(),0x7e),1)--+` into the username parameter of the /index.php/User/doLogin endpoint. Additionally, sqlmap can be used to test for SQL injection by targeting the username parameter in the login request. Specific commands include using sqlmap with the vulnerable URL and the parameter, for example: `sqlmap -u "http://target/index.php/User/doLogin" --data="username=1') and updatexml(1,concat(0x7e,user(),0x7e),1)--+&password=any"` to confirm injection. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying input validation and sanitization on the username parameter to prevent SQL injection. If a patch or update is available from the vendor, it should be applied promptly. Additionally, restricting database permissions and monitoring for suspicious login attempts can help reduce risk. Since exploitation is remote and unauthenticated, network-level protections such as web application firewalls (WAFs) configured to detect and block SQL injection attempts should be deployed. [1, 2, 3]