Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

SQL Injection in DomainsPRO

Posted date 12/05/2025
Identificador
INCIBE-2024-0181
Importance
5 - Critical
Affected Resources

DomainsPRO, 1.2 version.

Description

INCIBE has coordinated the publication of a critical severity vulnerability affecting DomainsPRO v1.2, an Internet domain management tool, which has been discovered by Gonzalo Aguilar Garcia (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-40628: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
Solution

The vulnerability has been fixed by the DomainsPRO team in version 1.3.

Detail

CVE-2025-40628: SQL injection vulnerability in DomainsPRO 1.2. This vulnerability could allow an attacker to retrieve, create, update and delete databases via the “d” parameter in the “/article.php” endpoint.

References list
DomainsPRO - The Ultimate AI-Powered Domains
Etiquetas