Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

SQL injection on the virtual campus platform of Diseño de Recursos Educativos

Posted date 27/10/2025
Identificador
INICBE-2025-0591
Importance
5 - Critical
Affected Resources

Virtual campus platform.

Description

INCIBE has coordinated the publication of a critical-severity vulnerability affecting DRED Virtual Campus Platform, a virtual place for the training process. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2025-41009: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
Solution

The vulnerability has been resolved by Diseño de Recursos Educativos team.

Detail

CVE-2025-41009: SQL injection vulnerability in the DRED virtual campus platform. This vulnerability allows an attacker to retrieve, create, update, and delete data from the database by sending a POST request using the ‘buscame’ parameter in ‘/catalogo_c/catalogo.php’.

CVE
Explotación
No
References list
DRED, Diseño de Recursos Educativos
Etiquetas