CVE-2025-12462
Blind SQL Injection in DobryCMS Allows Remote Data Access
Publication date: 2026-03-02
Last updated on: 2026-03-31
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| studio_fabryka | dobrycms | to 8.0 (exc) |
| studio_fabryka | dobrycms | to 5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-12462 is a Blind SQL Injection vulnerability found in DobryCMS software developed by Studio Fabryka. It affects all versions up to 8.0. The vulnerability allows a remote, unauthenticated attacker to inject arbitrary SQL queries through the URL path.'}, {'type': 'paragraph', 'content': "Because it is a Blind SQL Injection, the attacker can manipulate the database queries without directly seeing the results, but can infer information based on the application's behavior."}, {'type': 'paragraph', 'content': 'This issue was fixed in versions above 8.0.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary SQL queries on the DobryCMS database without authentication.
Potential impacts include unauthorized access to sensitive data, data leakage, data modification, or even deletion of data stored in the database.
Since the attacker can inject SQL commands, it may lead to a full compromise of the database, affecting the confidentiality, integrity, and availability of the data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing for Blind SQL Injection in the URL path of DobryCMS instances up to version 8.0. This involves sending crafted HTTP requests with SQL syntax injected into the URL path and observing the responses for signs of SQL injection behavior.'}, {'type': 'paragraph', 'content': 'A common approach is to use tools like curl or specialized SQL injection testing tools to send requests with payloads designed to trigger different responses based on the injected SQL.'}, {'type': 'list_item', 'content': 'Example curl command to test for Blind SQL Injection: curl -i "http://target/dobrycms/path\' AND 1=1--"'}, {'type': 'list_item', 'content': 'Followed by: curl -i "http://target/dobrycms/path\' AND 1=2--" to compare responses and detect differences indicating injection.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade DobryCMS to a version above 8.0, where this Blind SQL Injection vulnerability has been fixed.
Until the upgrade can be performed, consider implementing web application firewall (WAF) rules to block suspicious SQL injection attempts in URL paths.
Additionally, restrict access to the affected application where possible and monitor logs for unusual URL requests that may indicate exploitation attempts.