CVE-2025-40677
BaseFortify
Publication date: 2025-09-18
Last updated on: 2025-09-18
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| summar_software | portal_del_empleado | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection in Summar Software's Portal del Empleado. It allows an attacker to manipulate the database by sending a specially crafted POST request using the parameter "ctl00$ContentPlaceHolder1$filtroNombre" on the "/MemberPages/quienesquien.aspx" page. Through this, the attacker can retrieve, create, update, or delete data in the database.
How can this vulnerability impact me? :
The vulnerability can have a severe impact by allowing an attacker to access sensitive data, modify or delete database contents, potentially leading to data breaches, loss of data integrity, and disruption of services.