CVE-2025-61548 in Print Shop Pro WebDesk
Summary
by MITRE • 01/08/2026
SQL Injection is present on the hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.69). Unsanitized user input is incorporated directly into SQL queries without proper parameterization or escaping. This vulnerability allows remote attackers to execute arbitrary SQL commands
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/10/2026
This vulnerability represents a critical sql injection flaw in the edu Business Solutions Print Shop Pro WebDesk application affecting version 18.34 and prior. The issue manifests specifically within the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint where the hfInventoryDistFormID parameter fails to undergo proper input sanitization before being incorporated into database queries. The absence of parameterized queries or adequate input escaping creates a direct pathway for malicious actors to manipulate the underlying sql execution flow. This vulnerability exists due to the application's failure to implement proper input validation and sanitization mechanisms, allowing attackers to inject malicious sql code through the targeted parameter.
The technical exploitation of this vulnerability enables remote attackers to execute arbitrary sql commands against the database backend without authentication or authorization. When the hfInventoryDistFormID parameter receives malicious input, the application processes this unsanitized data directly within sql query construction, bypassing all security controls designed to prevent unauthorized database access. The vulnerability stems from the application's reliance on string concatenation for sql query building rather than using parameterized queries or stored procedures. This design flaw falls under the common weakness identified by CWE-89 which specifically addresses sql injection vulnerabilities where user-supplied data is directly incorporated into sql commands without proper sanitization or escaping mechanisms.
The operational impact of this vulnerability is severe as it provides attackers with complete database access capabilities including read, write, and delete operations on sensitive information. Attackers could potentially extract confidential customer data, manipulate inventory records, modify pricing structures, or even escalate privileges within the application environment. The remote nature of the attack means that exploitation can occur from any location without requiring physical access to the system or network. This vulnerability directly maps to several attack techniques documented in the mitre att&ck framework under the execution and credential access domains, particularly targeting the use of sql injection for data exfiltration and system compromise.
Organizations utilizing the affected Print Shop Pro WebDesk version should immediately implement the available patch version 19.69 which addresses this vulnerability through proper input validation and parameterized query implementation. System administrators should also deploy web application firewalls to monitor and block suspicious sql injection patterns targeting this specific endpoint. Additional mitigations include implementing input validation at multiple layers, establishing proper database user permissions with minimal required privileges, and conducting regular security assessments of web applications. The vulnerability demonstrates the critical importance of following secure coding practices and adhering to industry standards such as owasp top ten and iso 27001 security requirements for preventing sql injection attacks. Regular code reviews and automated security scanning should be implemented to identify similar vulnerabilities across the application codebase and prevent future incidents of this nature.