CVE-2018-25202
SQL Injection in SAT CFDI 3.3 Allows Data Extraction
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sat | cfdi | 3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2018-25202 is an SQL injection vulnerability found in SAT CFDI version 3.3 and earlier. It occurs in the signIn endpoint through the 'id' parameter, which does not properly sanitize user input. This flaw allows attackers to inject malicious SQL code into database queries.
Attackers can exploit this vulnerability by sending specially crafted POST requests using techniques such as boolean-based blind, stacked queries, or time-based blind SQL injection payloads. These methods enable attackers to manipulate database queries to extract sensitive information or compromise the application.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing unauthorized attackers to access sensitive data stored in the database. It can lead to data extraction, unauthorized data modification, or further exploitation of the backend database.
Because the vulnerability requires no privileges, user interaction, or authentication, it is relatively easy for attackers to exploit remotely. The impact on confidentiality is high, while the impact on integrity is limited and there is no impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted POST requests to the /signIn endpoint with specially crafted payloads in the 'id' parameter to test for SQL injection.
- Boolean-based blind SQL injection test: Send a POST request with payload like `id=admin" AND 3577=3577 AND "Stsj"="Stsj&password=123456` and observe if the response differs from a normal request.
- Stacked queries test: Send a POST request with payload like `id=admin";SELECT SLEEP(5)#&password=123456` and check if the response is delayed, indicating execution of multiple queries.
- Time-based blind SQL injection test: Send a POST request with payload like `id=admin" AND SLEEP(5) AND "bWUR"="bWUR&password=123456` and observe if the response time is significantly delayed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in SAT CFDI 3.3 allows attackers to extract sensitive data or compromise the application by manipulating database queries. Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Because the vulnerability enables attackers to access confidential information without authentication, it poses a significant risk to compliance with standards that mandate strict controls over data confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in SAT CFDI 3.3, immediate steps include sanitizing and validating all user inputs, especially the 'id' parameter in the signIn endpoint.
Implement parameterized queries or prepared statements to prevent injection of malicious SQL code.
Restrict database permissions to limit the impact of any potential exploitation.
Monitor and block suspicious POST requests targeting the 'id' parameter with SQL injection payloads.
Apply any available patches or updates from the vendor addressing this vulnerability.