CVE-2025-14189
BaseFortify
Publication date: 2025-12-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| changjetong_information_technology | chanjet_crm | 20251121 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection in Chanjet CRM up to version 20251121. It occurs in an unknown function within the file /tools/jxf_dump_table_demo.php, where manipulation of the argument gblOrgID allows an attacker to inject malicious SQL code. The attack can be performed remotely, and an exploit is publicly available.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute arbitrary SQL commands on the affected system remotely. This can lead to unauthorized access to, modification of, or deletion of data within the database, potentially compromising the confidentiality, integrity, and availability of the system and its data.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing restrictive firewall rules to block unauthorized access to the vulnerable endpoint `/tools/jxf_dump_table_demo.php`. Additionally, input filtering and validation should be applied to the `gblOrgID` parameter to prevent SQL injection attacks. Since the vulnerability can be exploited remotely without authentication, restricting access to the affected URL and sanitizing inputs are critical. Monitoring and blocking suspicious requests targeting this endpoint can also help reduce risk until a proper patch or update is available. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized access to sensitive information through SQL injection, it could potentially lead to breaches of confidentiality and data protection requirements mandated by such regulations. Organizations using the affected Chanjet CRM system may face compliance risks if the vulnerability is exploited and sensitive personal or protected health information is exposed. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted HTTP GET requests to the vulnerable endpoint `/tools/jxf_dump_table_demo.php` with the `gblOrgID` parameter manipulated to include SQL injection payloads. A common detection method is to use a time-based blind SQL injection payload such as `id=1&gblOrgID=1 AND (SELECT 1 FROM (SELECT(SLEEP(2)))a)-- -` and observe if the server response is delayed by approximately 2 seconds, indicating vulnerability. Tools like SQLmap can be used to automate detection by sending requests without cookies, using a request file with the `-r` option and disabling cookie usage. Additionally, Google dorking with queries like `inurl:tools/jxf_dump_table_demo.php` can help identify vulnerable targets on the network. [1, 3]