CVE-2025-41002 in Infoticketinginfo

Summary

by MITRE • 02/23/2026

SQL injection vulnerability in Infoticketing. This vulnerability allows an unauthenticated attacker to retrieve, create, update, and delete the database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/23/2026

This vulnerability represents a critical sql injection flaw in the infoticketing system that exposes the underlying database to unauthorized manipulation. The vulnerability specifically resides within the cartApplyDiscount.php component where the 'code' parameter is processed without adequate input validation or sanitization. An unauthenticated attacker can exploit this weakness by crafting malicious POST requests that manipulate the sql query execution flow. The attack vector is particularly concerning because it requires no authentication credentials, making it accessible to any external party who can reach the affected endpoint. This vulnerability directly maps to cwe-89 sql injection as defined by the common weakness enumeration catalog, which classifies it as a severe weakness that allows attackers to execute arbitrary sql commands against the database. The operational impact extends beyond simple data theft to include complete database compromise where attackers can perform read, write, and delete operations on sensitive information. This represents a fundamental breakdown in the application's input handling mechanisms and demonstrates a classic lack of proper parameterized queries or input sanitization. The vulnerability enables attackers to extract confidential data such as user credentials, personal information, financial records, and business-sensitive data through direct sql command execution. The attack surface is further expanded by the fact that this vulnerability affects core commerce functionality, potentially allowing attackers to manipulate discount codes, alter pricing structures, and modify inventory information. From a threat modeling perspective, this vulnerability aligns with attack techniques documented in the attack pattern taxonomy under the category of sql injection attacks. The lack of authentication requirements makes this particularly dangerous as it can be exploited immediately upon discovery without requiring additional access privileges or reconnaissance. The vulnerability affects the integrity, confidentiality, and availability of the entire database system through unauthorized data manipulation. Organizations should consider implementing comprehensive input validation, parameterized queries, and web application firewalls to prevent such attacks. The exploitability of this vulnerability means that attackers can perform complete database compromise operations including data exfiltration, data corruption, and unauthorized access to sensitive information. This vulnerability also represents a failure in the application's security design principles and demonstrates the critical need for secure coding practices throughout the development lifecycle. The impact extends beyond immediate data loss to include potential regulatory compliance violations, financial losses, and reputational damage from data breaches. Organizations should implement proper access controls, regular security testing, and input sanitization measures to prevent similar vulnerabilities from being exploited in production environments. The vulnerability highlights the importance of following secure coding standards and implementing proper defense-in-depth strategies to protect against sql injection attacks. This flaw represents a significant security gap that requires immediate remediation through code review, input validation implementation, and security testing protocols. The affected component's role in commerce functionality makes this vulnerability particularly dangerous as attackers can potentially manipulate transactions and financial data. The vulnerability's persistence in the system indicates a systemic security weakness that requires comprehensive remediation across the entire application architecture. Organizations should also consider implementing automated security scanning tools and regular penetration testing to identify and remediate similar vulnerabilities before they can be exploited in real-world scenarios. The exploitation of this vulnerability could lead to complete system compromise and unauthorized access to all database contents, making it a critical priority for immediate remediation.

Responsible

INCIBE

Reservation

04/16/2025

Disclosure

02/23/2026

Moderation

accepted

CPE

ready

EPSS

0.00323

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!