CVE-2025-40698

Description

SQL injection vulnerability in Prevengos v2.44 by Nedatec Consulting. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameters “mpsCentroin”, “mpsEmpresa”, “mpsProyecto”, and “mpsContrata” in “/servicios/autorizaciones.asmx/mfsRecuperarListado”.

PUBLISHED Reserved 2025-04-16 | Published 2025-09-25 | Updated 2025-09-25 | Assigner INCIBE

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Credits

Pedro Gabaldón Juliá finder

Javier Medina Munuera finder

Antonio José Gálvez Sánchez finder

Alejandro Baño Andrés finder

Álvaro Piñero Laorden finder

References

www.incibe.es/...ulnerabilities-prevengos-nedatec-consulting

cve.org (CVE-2025-40698)

nvd.nist.gov (CVE-2025-40698)

Download JSON