{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3893", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2025-04-23T09:52:14.342Z", "datePublished": "2025-05-23T10:20:02.391Z", "dateUpdated": "2025-05-23T12:13:22.569Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MegaBIP", "vendor": "Jan Syski", "versions": [{"lessThanOrEqual": "5.19", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kamil Szczurowski"}, {"lang": "en", "type": "finder", "value": "Robert Kruczek"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.&nbsp;<br>Version 5.20 of MegaBIP fixes this issue.&nbsp;"}], "value": "While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.\u00a0\nVersion 5.20 of MegaBIP fixes this issue."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-05-23T10:20:02.391Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2025/05/CVE-2025-3893"}, {"tags": ["vendor-advisory"], "url": "https://megabip.pl/index.php?id=24,145"}, {"tags": ["government-resource"], "url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej"}], "source": {"discovery": "UNKNOWN"}, "title": "SQL Injection in MegaBIP", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-23T12:12:44.134029Z", "id": "CVE-2025-3893", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-23T12:13:22.569Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3893", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-23T12:12:44.134029Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-23T12:13:17.892Z"}}], "cna": {"title": "SQL Injection in MegaBIP", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Kamil Szczurowski"}, {"lang": "en", "type": "finder", "value": "Robert Kruczek"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Jan Syski", "product": "MegaBIP", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.19"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2025/05/CVE-2025-3893", "tags": ["third-party-advisory"]}, {"url": "https://megabip.pl/index.php?id=24,145", "tags": ["vendor-advisory"]}, {"url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.\u00a0\nVersion 5.20 of MegaBIP fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.&nbsp;<br>Version 5.20 of MegaBIP fixes this issue.&nbsp;", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-05-23T10:20:02.391Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3893", "state": "PUBLISHED", "dateUpdated": "2025-05-23T12:13:22.569Z", "dateReserved": "2025-04-23T09:52:14.342Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2025-05-23T10:20:02.391Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.\u00a0\nVersion 5.20 of MegaBIP fixes this issue."}, {"lang": "es", "value": "Al editar p\u00e1ginas administradas por MegaBIP, se solicita a un usuario con privilegios elevados que justifique la acci\u00f3n. La informaci\u00f3n proporcionada por el usuario no se depura, lo que genera una vulnerabilidad de inyecci\u00f3n SQL. La versi\u00f3n 5.20 de MegaBIP corrige este problema."}], "id": "CVE-2025-3893", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2025-05-23T11:15:32.660", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2025/05/CVE-2025-3893"}, {"source": "cvd@cert.pl", "url": "https://megabip.pl/index.php?id=24,145"}, {"source": "cvd@cert.pl", "url": "https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}

{"created": "2025-06-23T19:31:59.988256+00:00", "updated": "2025-06-23T19:31:59.988305+00:00", "vendors": ["jan_syski", "jan_syski$PRODUCT$megabip"]}