CVE-2025-11944
BaseFortify
Publication date: 2025-10-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vvveb | vvveb | to 1.0.7.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11944 is a critical SQL injection vulnerability in the Vvveb CMS version 1.0.7.3 and earlier. It exists in the import functionality, specifically in the admin/controller/tools/import.php file's Raw SQL Handler component. An authenticated administrator can exploit this by uploading a malicious .sql file through the import tool, which executes the SQL commands without proper sanitization. This allows the attacker to run arbitrary SQL queries on the backend database, potentially extracting sensitive information such as administrator passwords. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of your system. An attacker with administrator access can exploit the SQL injection to extract sensitive data, manipulate or delete database contents, and potentially disrupt the normal operation of the application. Since the attack requires authentication but can be initiated remotely, it poses a significant risk if an attacker gains admin credentials or access. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it risks unauthorized access to sensitive personal or protected health information stored in the database. Exploitation could lead to data breaches, violating confidentiality and data protection requirements mandated by these regulations. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running Vvveb CMS version 1.0.7.3 or earlier and if the import functionality at admin/controller/tools/import.php is accessible. You can look for signs of exploitation by monitoring for uploads of malicious .sql files via the admin panel under Tools -> Import. Additionally, you can use Google Dorking with the query `inurl:admin/controller/tools/import.php` to identify vulnerable targets. There is no specific command provided, but monitoring web server logs for POST requests to this import endpoint with .sql file uploads can help detect attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the available patch identified by commit 52204b4a106b2fb02d16eee06a88a1f2697f9b35, which removes the raw SQL import option and restricts imports to XML format only. This prevents execution of arbitrary SQL commands and mitigates the SQL injection vulnerability. Additionally, restrict access to the import functionality to trusted administrators and monitor for suspicious activity until the patch is applied. [2, 4]