Home

Description

SQL injection vulnerability in Summar Software´s Portal del Empleado. This vulnerability allows an attacker to retrieve, create, update, and delete the database by sending a POST request using the parameter “ctl00$ContentPlaceHolder1$filtroNombre” in “/MemberPages/quienesquien.aspx”.

PUBLISHED Reserved 2025-04-16 | Published 2025-09-18 | Updated 2025-09-18 | Assigner INCIBE




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

3.98.0
affected

Credits

Pedro Gabaldón Juliá finder

Javier Medina Munuera finder

Antonio José Gálvez Sánchez finder

Alejandro Baño Andrés finder

Álvaro Piñero Laorden finder

References

www.incibe.es/...erabilities-summar-software-employee-portal

cve.org (CVE-2025-40677)

nvd.nist.gov (CVE-2025-40677)

Download JSON