CVE-2025-52085

An SQL injection vulnerability in Yoosee application v6.32.4 allows authenticated users to inject arbitrary SQL queries via a request to a backend API endpoint. Successful exploitation enables extraction of sensitive database information, including but not limited to, the database server banner and version, current database user and schema, the current DBMS user privileges, and arbitrary data from any table.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://medium.com/@pundhapat/sqli-in-the-cloud-root-on-the-board-a-beginners-journey-into-iot-hacking-06efb2539a21	Exploit Third Party Advisory
https://yoosee.app	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:yoosee:yoosee:6.32.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-22 18:15

Updated : 2025-09-12 19:30

NVD link : CVE-2025-52085

Mitre link : CVE-2025-52085

CVE.ORG link : CVE-2025-52085

JSON object : View

Products Affected

yoosee

yoosee

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-52085", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-08-22T18:15:35.550", "references": [{"url": "https://medium.com/@pundhapat/sqli-in-the-cloud-root-on-the-board-a-beginners-journey-into-iot-hacking-06efb2539a21", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://yoosee.app", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability in Yoosee application v6.32.4 allows authenticated users to inject arbitrary SQL queries via a request to a backend API endpoint. Successful exploitation enables extraction of sensitive database information, including but not limited to, the database server banner and version, current database user and schema, the current DBMS user privileges, and arbitrary data from any table."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL en la aplicaci\u00f3n Yoosee v6.32.4 permite a usuarios autenticados inyectar consultas SQL arbitrarias mediante una solicitud a un endpoint de API de backend. Su explotaci\u00f3n exitosa permite la extracci\u00f3n de informaci\u00f3n confidencial de la base de datos, incluyendo, entre otros, el banner y la versi\u00f3n del servidor de base de datos, el usuario y el esquema actuales de la base de datos, los privilegios de usuario actuales del DBMS y datos arbitrarios de cualquier tabla."}], "lastModified": "2025-09-12T19:30:55.373", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yoosee:yoosee:6.32.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C36DCE6-1873-4C43-9F60-1A4DCDF2492A"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}