Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A SQL injection vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to retrieve, create, update and delete databases through the codform parameter in /modules/forms/collectform.asp.
AnalysisAI
Critical unauthenticated SQL injection vulnerability in DM Corporative CMS affecting the /modules/forms/collectform.asp endpoint via the 'codform' parameter, allowing remote attackers to execute arbitrary SQL commands without authentication. This vulnerability enables complete database compromise including data exfiltration, modification, and deletion with a CVSS score of 9.8. The exploitation likelihood depends on patch availability and active threat actor interest, though the network-accessible nature and lack of authentication requirements make this a severe priority for affected organizations.
Technical ContextAI
This vulnerability exists in DM Corporative CMS, a content management system written in Active Server Pages (ASP), specifically within the forms collection module. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which occurs when user-supplied input from the 'codform' parameter is directly concatenated into SQL queries without proper parameterized query preparation or input sanitization. The affected endpoint /modules/forms/collectform.asp processes form submissions and appears to accept a 'codform' identifier that is used to construct backend database queries. By injecting SQL metacharacters (such as single quotes, UNION clauses, or comment sequences) into the codform parameter, an attacker can modify the query logic to extract sensitive data, insert malicious records, update existing data, or delete database contents entirely. The ASP/classic ASP technology stack is legacy but still deployed in enterprise environments, making this a relevant threat to organizations with legacy web infrastructure.
RemediationAI
Immediate remediation steps: (1) Contact DM (vendor) for urgent security patch availability and patch timeline; (2) If patches are available, prioritize deployment to production environments within 24 hours, testing in non-production environments first; (3) Implement temporary mitigations if patches are unavailable: disable the /modules/forms/collectform.asp endpoint via web server configuration (IIS URL Rewrite rules or application firewall rules), restrict network access to this endpoint via firewall rules limiting access to trusted internal networks only, implement web application firewall (WAF) rules to detect and block SQL injection patterns in the 'codform' parameter (signature-based detection for SQL metacharacters); (4) Enable comprehensive logging and monitoring of all requests to /modules/forms/collectform.asp and review logs for evidence of exploitation attempts; (5) Conduct database access logging and monitoring to detect suspicious SQL activity; (6) Perform security code review of the collectform.asp source code to identify similar SQL injection vulnerabilities in other parameters or endpoints; (7) After patching, validate remediation by performing SQL injection testing against the endpoint.
More in Dm Corporative Cms
View allCritical SQL injection vulnerability in DM Corporative CMS that allows unauthenticated remote attackers to execute arbit
Critical SQL injection vulnerability in DM Corporative CMS affecting the /antcatalogue.asp endpoint's 'name' parameter,
A critical SQL injection vulnerability (CVE-2025-40654) exists in DM Corporative CMS affecting the /antbuspre.asp endpoi
CVE-2025-40662 is an absolute path disclosure vulnerability in DM Corporative CMS that exposes sensitive filesystem info
CVE-2025-40661 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
CVE-2025-40660 is a security vulnerability (CVSS 7.5) that allows an attacker. High severity vulnerability requiring pro
CVE-2025-40659 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
CVE-2025-40658 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17652