CVE-2025-50984

diskover-web v2.3.0 Community Edition is vulnerable to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Unsanitized user input in POST parameters such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE and others can be crafted to inject arbitrary SQLite expressions wrapped in JSON functions. By exploiting these injection points, an attacker can infer or extract sensitive information from the underlying database without authentication. This issue stems from improper input validation and parameterization in the application's JSON-based query construction.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/4rdr/proofs/blob/main/info/diskover-web-v2.3.0-community-edition-sqli.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:diskoverdata:diskover:2.3.0:*:*:*:community:*:*:*

History

No history.

Information

Published : 2025-08-27 16:15

Updated : 2025-09-09 18:46

NVD link : CVE-2025-50984

Mitre link : CVE-2025-50984

CVE.ORG link : CVE-2025-50984

JSON object : View

Products Affected

diskoverdata

diskover

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-50984", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-08-27T16:15:36.053", "references": [{"url": "https://github.com/4rdr/proofs/blob/main/info/diskover-web-v2.3.0-community-edition-sqli.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "diskover-web v2.3.0 Community Edition is vulnerable to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Unsanitized user input in POST parameters such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE and others can be crafted to inject arbitrary SQLite expressions wrapped in JSON functions. By exploiting these injection points, an attacker can infer or extract sensitive information from the underlying database without authentication. This issue stems from improper input validation and parameterization in the application's JSON-based query construction."}, {"lang": "es", "value": "diskover-web v2.3.0 Community Edition es vulnerable a m\u00faltiples fallos de inyecci\u00f3n SQL ciega basados en booleanos en su formulario de configuraci\u00f3n de Elasticsearch. Entradas de usuario sin depurar en par\u00e1metros POST como ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE y otros pueden manipularse para inyectar expresiones SQLite arbitrarias envueltas en funciones JSON. Al explotar estos puntos de inyecci\u00f3n, un atacante puede inferir o extraer informaci\u00f3n confidencial de la base de datos subyacente sin autenticaci\u00f3n. Este problema se debe a una validaci\u00f3n y parametrizaci\u00f3n incorrectas de las entradas en la construcci\u00f3n de consultas basadas en JSON de la aplicaci\u00f3n."}], "lastModified": "2025-09-09T18:46:38.853", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:diskoverdata:diskover:2.3.0:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "1C1C6558-A8F2-4821-B926-239A1F4FB03A"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}