Home

Description

SQL injection vulnerability in the fields of warehouse document filtering form in SIMPLE.ERP software allows logged-in user a malicious query injection. Potential exploitation is limited by the 20-character limit in form fields. Identified use case allows to delete tables with a name of maximum 6 characters. We weren't able to identify a way to exfiltrate data within query character limit. This issue affects SIMPLE.ERP in versions before 6.30@a04.3.

PUBLISHED Reserved 2025-08-22 | Published 2025-10-21 | Updated 2025-10-24 | Assigner CERT-PL




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

Any version before 6.30@a04.3
affected

Credits

Kamil Dąbkowski finder

References

cert.pl/en/posts/2025/10/CVE-2025-9339/ third-party-advisory

simple.com.pl/ product

cve.org (CVE-2025-9339)

nvd.nist.gov (CVE-2025-9339)

Download JSON