Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A SQL injection vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to retrieve, create, update and delete databases through the name parameter in /antcatalogue.asp.
AnalysisAI
Critical SQL injection vulnerability in DM Corporative CMS affecting the /antcatalogue.asp endpoint's 'name' parameter, allowing unauthenticated remote attackers to execute arbitrary SQL commands with complete database compromise (retrieval, creation, modification, deletion). With a CVSS 9.8 score, zero authentication requirements, and network-accessible attack surface, this vulnerability represents an immediate and severe risk to all exposed instances; exploitation likelihood is extremely high given the straightforward injection point and lack of input validation.
Technical ContextAI
The vulnerability exists in DM Corporative CMS's ASP-based application layer, specifically the /antcatalogue.asp endpoint which processes user-supplied input through the 'name' parameter without proper sanitization or parameterized queries. This is a classic CWE-89 (SQL Injection) vulnerability where dynamic SQL construction concatenates unsanitized user input directly into database queries. The ASP framework processes these malicious SQL statements server-side against the backend database (likely SQL Server, Microsoft Access, or similar), allowing attackers to manipulate query logic. The lack of input validation, absence of prepared statements, and no apparent Web Application Firewall (WAF) protections compound the issue. Affected systems run DM Corporative CMS on Windows/IIS infrastructure with Active Server Pages technology.
RemediationAI
- Immediate Actions (Priority 0): Isolate or take offline affected DM Corporative CMS instances until patching is complete; disable the /antcatalogue.asp endpoint if not critical; implement emergency network-level access restrictions (firewall rules limiting /antcatalogue.asp access to trusted IPs only). 2. Input Validation (Temporary Mitigation): If patching cannot be immediate, implement whitelist-based input validation on the 'name' parameter accepting only alphanumeric characters; deploy Web Application Firewall (WAF) rules blocking SQL injection patterns (single quotes, UNION, SELECT, DROP, etc.). 3. Patching (Primary Remediation): Contact DM Corporative immediately for security patches; install latest patched version once released and validated in test environment; apply vendor-supplied patches to /antcatalogue.asp specifically addressing parameterized query usage. 4. Code-Level Fix: Replace dynamic SQL string concatenation with prepared statements/parameterized queries (ADO.NET parameters in ASP); implement input validation and output encoding; conduct security code review of similar vulnerable endpoints. 5. Detection & Monitoring: Deploy IDS/IPS rules detecting SQL injection attempts to /antcatalogue.asp; monitor database query logs for suspicious SQL syntax; implement SIEM alerting for exploitation attempts. 6. Vendor Advisory: Check https://www.dm-corporative.com or relevant vendor security bulletins for official patches and guidance (specific link depends on vendor disclosure). 7. Validate Remediation: Test patched systems against known SQL injection payloads in controlled environment before production deployment.
More in Dm Corporative Cms
View allCritical unauthenticated SQL injection vulnerability in DM Corporative CMS affecting the /modules/forms/collectform.asp
Critical SQL injection vulnerability in DM Corporative CMS that allows unauthenticated remote attackers to execute arbit
A critical SQL injection vulnerability (CVE-2025-40654) exists in DM Corporative CMS affecting the /antbuspre.asp endpoi
CVE-2025-40662 is an absolute path disclosure vulnerability in DM Corporative CMS that exposes sensitive filesystem info
CVE-2025-40661 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
CVE-2025-40660 is a security vulnerability (CVSS 7.5) that allows an attacker. High severity vulnerability requiring pro
CVE-2025-40659 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
CVE-2025-40658 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17654