EUVD-2025-18389

| CVE-2025-6117 HIGH
2025-06-16 [email protected]
SQLi Parking Management System
7.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18389
CVE Published
Jun 16, 2025 - 10:15 nvd
HIGH 7.3

DescriptionNVD

A vulnerability was found in Das Parking Management System 停车场管理系统 6.2.0. It has been declared as critical. This vulnerability affects unknown code of the file /Reservations/Search of the component API. The manipulation of the argument Value leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection vulnerability in Das Parking Management System (停车场管理系统) version 6.2.0 affecting the /Reservations/Search API endpoint. An unauthenticated remote attacker can manipulate the 'Value' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. Public exploit code is available and the vulnerability may be actively exploited in the wild.

Technical ContextAI

This vulnerability exists in a web-based parking management system API built with an unknown framework/language. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component / 'Injection'), which encompasses SQL injection. The /Reservations/Search endpoint fails to properly sanitize or parameterize the 'Value' input parameter before incorporating it into SQL queries. This is a classic first-order SQL injection vulnerability where user-supplied input is directly concatenated into dynamic SQL statements without using prepared statements or parameterized queries. The API is network-accessible with no authentication required (PR:N in CVSS vector), making this particularly dangerous for internet-exposed instances.

RemediationAI

Immediate actions: (1) Patch: Upgrade Das Parking Management System to a version released after this CVE disclosure (version information not yet publicly available from vendor); contact Das Parking support directly for security patch availability; (2) Workaround: Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the /Reservations/Search endpoint (monitor for SQL keywords like UNION, SELECT, DROP, INSERT in the 'Value' parameter); (3) Network mitigation: Restrict network access to the /Reservations/Search API to authorized networks/VPNs; implement rate limiting and input validation at the reverse proxy layer; (4) Detection: Audit database logs for suspicious SQL queries and enable query logging if not already active; (5) Code fix if patch unavailable: Implement parameterized queries/prepared statements for all SQL operations; use ORM frameworks with built-in SQL injection protections; apply input whitelisting for the 'Value' parameter based on expected formats (alphanumeric, specific delimiters only). Monitor vendor (Das Parking) official channels and CVE databases for official patches.

Share

EUVD-2025-18389 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy