Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

SQL injection in Infoticketing

Posted date 28/11/2025
Identificador
INCIBE-2026-137
Importance
5 - Critical
Affected Resources

Infoticketing

Description

INCIBE has coordinated the publication of one critical-severity vulnerability affecting Infoticketing, a system for managing event tickets. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2025-41002: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. | CWE-89
Solution

The vulnerability has been fixed by the Infoticking team in the latest version.

Detail

CVE-2025-41002: SQL injection vulnerability in Infoticketing. This vulnerability allows an unauthenticated attacker to retrieve, create, update, and delete the database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'.

CVE
Explotación
No
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2025-41002 Crítica No Infoticketing
References list
infoticketing web
Etiquetas