Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

SQL injection at Comerzzia

Posted date 20/05/2025
Identificador
INCIBE-2025-0251
Importance
5 - Critical
Affected Resources

Comerzzia, 3.0.15 version.

Description

INCIBE has coordinated the publication of a critical severity vulnerability affecting Comerzzia, a unified commerce platform for shop management, version 3.0.15, which has been discovered by Guillermo Mejías Climent (Flamberik).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability type CWE.

  • CVE-2025-40635: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
Solution

The vulnerability has been fixed by the Comerzzia team in version 3.1.0, released on 31 May 2016.

Detail

CVE-2025-40635: SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint.

References list
Comerzzia - Product website
Etiquetas