{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11252", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "state": "PUBLISHED", "assignerShortName": "TR-CERT", "dateReserved": "2025-10-03T11:31:07.895Z", "datePublished": "2026-02-27T12:32:33.594Z", "dateUpdated": "2026-04-16T15:10:42.074Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2026-04-16T15:10:42.074Z"}, "title": "SQLi in Signum Technologies' windesk.fm", "datePublic": "2026-02-27T12:32:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "affected": [{"vendor": "Signum Technology Promotion and Training Inc.", "product": "windesk.fm", "versions": [{"status": "affected", "version": "0", "lessThan": "v2.3.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: before v2.3.4.\u00a0\nNOTE:\u00a0\nThe vendor patched the vulnerability after the CVE was published.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.<p>This issue affects windesk.Fm: before v2.3.4.&nbsp;\nNOTE:&nbsp;\nThe vendor patched the vulnerability after the CVE was published.\n\n</p>"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-26-0085", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Engin AYDO\u011eAN", "type": "finder"}], "source": {"defect": ["TR-26-0085"], "advisory": "TR-26-0085", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T19:25:43.991802Z", "id": "CVE-2025-11252", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:33:46.737Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11252", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T19:25:43.991802Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:33:41.643Z"}}], "cna": {"title": "SQLi in Signum Technologies' windesk.fm", "source": {"defect": ["TR-26-0085"], "advisory": "TR-26-0085", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Engin AYDO\u011eAN"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Signum Technology Promotion and Training Inc.", "product": "windesk.fm", "versions": [{"status": "affected", "version": "0", "lessThan": "v2.3.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-27T12:32:00.000Z", "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-26-0085", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: before v2.3.4.\u00a0\nNOTE:\u00a0\nThe vendor patched the vulnerability after the CVE was published.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.<p>This issue affects windesk.Fm: before v2.3.4.&nbsp;\nNOTE:&nbsp;\nThe vendor patched the vulnerability after the CVE was published.\n\n</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2026-04-16T15:10:42.074Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11252", "state": "PUBLISHED", "dateUpdated": "2026-04-16T15:10:42.074Z", "dateReserved": "2025-10-03T11:31:07.895Z", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "datePublished": "2026-02-27T12:32:33.594Z", "assignerShortName": "TR-CERT"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:signumtte:windesk.fm:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFD632DF-AB52-4649-ABD9-F02BA14B5958", "versionEndIncluding": "27022026", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: before v2.3.4.\u00a0\nNOTE:\u00a0\nThe vendor patched the vulnerability after the CVE was published."}, {"lang": "es", "value": "La vulnerabilidad de Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('inyecci\u00f3n SQL') en Signum Technology Promotion and Training Inc. Windesk.Fm permite la inyecci\u00f3n SQL. Este problema afecta a windesk.Fm: hasta el 27022026.\n\nNOTA: Se contact\u00f3 al proveedor con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2025-11252", "lastModified": "2026-04-16T16:16:14.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "iletisim@usom.gov.tr", "type": "Secondary"}]}, "published": "2026-02-27T13:16:01.343", "references": [{"source": "iletisim@usom.gov.tr", "tags": ["Third Party Advisory"], "url": "https://www.usom.gov.tr/bildirim/tr-26-0085"}], "sourceIdentifier": "iletisim@usom.gov.tr", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "iletisim@usom.gov.tr", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,27022026]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "windesk.fm", "source": "cna", "vendor": "Signum Technology Promotion and Training Inc."}, "product": "windesk.fm", "vendor": "signum_technology_promotion_and_training"}], "analysis": {"en": {"generated_at": "2026-04-20T15:35:40.654541+00:00", "value": {"mitigation_remediation": ["Update Windesk.Fm to version 2.3.4 or later.", "Ensure all user-supplied input is sanitized and use parameterized queries to prevent SQL injection.", "Monitor database logs for suspicious activity and, if necessary, restrict database privileges or isolate the database from the web-facing application."], "summary": {"action": "Apply Patch", "impact": "SQL Injection in Windesk.Fm"}, "threat_synthesis": {"affected_systems": "Windesk.Fm versions prior to 2.3.4 are affected. The product is supplied by Signum Technology Promotion and Training Inc.", "description_and_impact": "The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, known as SQL injection, in Signum Technology Promotion and Training Inc.'s Windesk.Fm. The flaw allows attackers to inject arbitrary SQL statements into a query, potentially leading to unauthorized database access, disclosure of sensitive information, or modification of data. This weakness is categorized as CWE-89.", "risk_and_exploitability": "The CVSS score of 9.8 highlights a critical risk, while the EPSS score of less than 1% indicates a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via the web interface where user-supplied input is incorporated into SQL queries without proper sanitization. An attacker could abuse this to read, modify, or delete data in the underlying database if the database user has sufficient privileges."}}}}, "created": "2026-03-02T12:07:17.065738+00:00", "updated": "2026-04-20T15:45:10.369077+00:00", "vendors": ["signum_technology_promotion_and_training", "signum_technology_promotion_and_training$PRODUCT$windesk.fm"]}