CVE-2025-52390

Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application directly concatenates user-supplied input (`$search_word`) into SQL queries without sanitization, allowing attackers to manipulate the SQL logic and potentially extract sensitive information or escalate their privileges.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/sauruscms/Saurus-CMS-Community-Edition/blob/d886e5b0c1e2b42cd74e2184e7c81c720cd9de6b/classes/FulltextSearch.class.php#L331
https://github.com/theharshkothari/vulnerability-research/blob/main/CVE-2025-52390.md

Configurations

No configuration.

History

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) Saurus CMS Community Edition, desde el commit d886e5b0 (23/04/2010), es vulnerable a una vulnerabilidad de inyección SQL en el método `prepareSearchQuery()` de `FulltextSearch.class.php`. La aplicación concatena directamente la entrada proporcionada por el usuario (`$search_word`) en consultas SQL sin depurar, lo que permite a los atacantes manipular la lógica SQL y, potencialmente, extraer información confidencial o escalar sus privilegios.

01 Aug 2025, 18:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
CWE		CWE-89

01 Aug 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-01 16:15

Updated : 2025-08-04 15:06

NVD link : CVE-2025-52390

Mitre link : CVE-2025-52390

CVE.ORG link : CVE-2025-52390

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

9.1 /10