SQL Injection in SCATI Vision Web
SCATI Vision Web, versions 4.8 to 7.2.
INCIBE has coordinated the publication of a high severity vulnerability affecting SCATI Vision Web, a software for the management of video surveillance cameras, in versions 4.8 to 7.2, which has been discovered by Álex Rodríguez Pérez and Raúl Calvo Laorden.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability type CWE:
- CVE-2025-40985: CVSS v4.0: 8.3 | CVSS AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N | CWE-89
The vulnerability has been fixed by the SCATI Vision team in version 7.3.1.0.
CVE-2025-40985: SQL injection vulnerability in SCATI Vision Web of SCATI Labs from version 4.8 to 7.2. This vulnerability allows an attacker to exfiltrate some data from the database via the ‘login’ parameter in the endpoint ‘/scatevision_web/index.php/loginForm’.
