Deer WMS 2
CVE-2025-8124
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in deerwms deer-wms-2 up to 3.3. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/unallocatedList. The manipulation of the argument params[dataScope] leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] argument in the /system/role/authUser/unallocatedList endpoint. The vulnerability requires valid user credentials but has low overall impact (CVSS 2.1) and affects only data confidentiality and integrity with no system availability impact. Publicly available exploit code exists, though EPSS score (0.07%, 22nd percentile) indicates exploitation remains uncommon in practice despite public disclosure.
Technical ContextAI
Deer WMS 2 is a warehouse management system written in Java. The vulnerability exists in the role authorization module, specifically in the unallocatedList endpoint that handles user role allocation queries. The flaw stems from improper input validation on the dataScope parameter, which is passed directly into SQL query construction without parameterized statement usage (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component, commonly associated with SQL injection). The affected endpoint is accessible to authenticated users, allowing them to manipulate the dataScope argument to inject malicious SQL fragments that execute in the database context of the application.
RemediationAI
Upgrade Deer WMS 2 to a version newer than 3.3 when available from the vendor. If an immediate upgrade is not feasible, implement the following compensating controls: (1) Restrict network access to the /system/role/authUser/unallocatedList endpoint to a whitelist of trusted administrative IP addresses using a WAF or reverse proxy, reducing exposure to unauthorized users; (2) Apply database-level least-privilege principles by ensuring the application's database user account has SELECT permissions only on required tables and no direct INSERT/UPDATE/DELETE on role tables, limiting SQL injection blast radius to read-only data exfiltration; (3) Enable comprehensive SQL query logging and monitoring on the database server to detect and alert on unusual SQL patterns indicative of injection attempts; (4) Conduct an audit of user account privileges to remove unnecessary administrative roles from standard user accounts, since the vulnerability requires authentication. Monitor the official Gitee repository (https://gitee.com/deerwms/deer-wms-2) for patch release announcements and apply promptly upon availability.
Share
External POC / Exploit Code
Leaving vuln.today