CVE-2025-7934
BaseFortify
Publication date: 2025-07-21
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fuyang_lipengjun | platform | to 2025-06-29 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7934 is a critical SQL injection vulnerability in the fuyang_lipengjun platform. It occurs because the 'beanName' parameter in the '/sys/schedule/list' endpoint is not properly sanitized and is directly interpolated into an SQL query without using prepared statements. This allows an attacker to inject malicious SQL code, potentially extracting sensitive data or gaining control over the server. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized access to sensitive database information, modification or deletion of data, and potentially full control over the affected server. This compromises the confidentiality, integrity, and availability of the system and can be initiated remotely. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable endpoint `/sys/schedule/list` with the `beanName` parameter for SQL injection. A common tool to detect such SQL injection vulnerabilities is sqlmap. For example, you can use the following command to test the vulnerability: python sqlmap.py -r request.txt --dbms=MySQL -p beanName --tamper=charencode,between --level 5 --flush-session -v 3 --current-user where `request.txt` contains a GET request to the endpoint with a sample `beanName` parameter. This command attempts to exploit the SQL injection and retrieve the current database user, confirming the vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable component or replacing it with an alternative product, as no known mitigations or patches are documented. Additionally, you should restrict access to the vulnerable endpoint `/sys/schedule/list` to trusted users only, apply web application firewall (WAF) rules to detect and block SQL injection attempts, and monitor logs for suspicious activity. Ultimately, the vulnerable code should be fixed by implementing proper input sanitization and using prepared statements instead of string interpolation for SQL queries. [2, 3]