Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

SQL injection in DIAL's CentrosNet

Posted date 06/11/2025
Identificador
INCIBE-2025-0618
Importance
5 - Critical
Affected Resources

CentrosNet, versions prior to 2.65. 

Description

INCIBE has coordinated the publication of a critical-severity vulnerability, affecting DIAL's CentrosNet, an application for managing notifications between aducational centers and the students and their parents. This vulnerability was discovered by Arnau Yepes.

This vulnerability has been asigned the following code, CVSS v4.0 base score, CVSS vector and CWE type:

  • CVE-2025-10870: CVSS v4.0: 9.3 | CVSS 4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. | CWE-89.
Solution

The vulnerability has been fixed by the DIAL team in version 2.65.

Detail

CVE-2025-10870: SQL injection vulnerability in DIAL's CentrosNet v2.64. Allows an attacker to retrieve, create, update, and delete databases by sending POST and GET requests with the 'ultralogin' parameter in '/centrosnet/ultralogin.php'.

CVE
Explotación
No
References list
CentrosNet
Etiquetas