Xiongwei Smart Catering Cloud Platform CVE-2025-14780
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Xiongwei Smart Catering Cloud Platform 2.1.6446.28761. The affected element is an unknown function of the file /dishtrade/dish_trade_detail_get. The manipulation of the argument filter results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
AnalysisAI
SQL injection in Xiongwei Smart Catering Cloud Platform 2.1.6446.28761 allows authenticated remote attackers to manipulate the filter parameter in the /dishtrade/dish_trade_detail_get endpoint, resulting in limited confidentiality and integrity impact. Public exploit code exists; however, the CVSS score of 2.1 and EPSS percentile of 16% indicate low real-world exploitation probability despite authenticated network accessibility, suggesting the vulnerability may require specific application knowledge or platform-dependent conditions to achieve meaningful impact.
Technical ContextAI
The vulnerability resides in an unknown function handling the /dishtrade/dish_trade_detail_get endpoint within the Xiongwei Smart Catering Cloud Platform, a web-based restaurant management and ordering system. The root cause is improper input validation and parameterization of the filter parameter, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). SQL injection occurs when user-controlled input from the filter parameter is concatenated directly into SQL queries without proper escaping or prepared statement use, allowing attackers to alter query logic and extract or modify database records.
Affected ProductsAI
Xiongwei Smart Catering Cloud Platform version 2.1.6446.28761 is confirmed affected. The endpoint /dishtrade/dish_trade_detail_get is specifically vulnerable. No CPE string is provided in available data; version range or other affected releases are not documented in the references.
RemediationAI
Update Xiongwei Smart Catering Cloud Platform to a patched version released after 2.1.6446.28761. No specific patched version number is confirmed from available vendor advisories. Until patching is possible, implement immediate compensating controls: (1) apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the filter parameter (e.g., UNION-based, time-based blind SQL detection), accepting the trade-off of potential false positives that may require tuning; (2) restrict network access to the /dishtrade/dish_trade_detail_get endpoint via IP allowlisting or VPN, limiting exposure to trusted administrators and systems; (3) enforce least-privilege database account credentials for the application service account, limiting the dataset accessible even if SQL injection succeeds; (4) enable database-level query logging and anomaly detection to identify exploitation attempts. Contact the Xiongwei vendor for an official patched release. Monitor vuldb.com and GitHub issue #1 (zhangbuneng/3) for patch announcements.
Share
External POC / Exploit Code
Leaving vuln.today