CVE-2025-56385 | THREATINT

Description

A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.

PUBLISHED Reserved 2025-08-16 | Published 2025-11-12 | Updated 2025-11-13 | Assigner mitre

References

harmony.com

wellsky.com

machevalia.blog/...-2025-56385-wellsky-harmony-sql-injection

cve.org (CVE-2025-56385)

nvd.nist.gov (CVE-2025-56385)

Download JSON