Description
i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the objGroupID parameter. Attackers can send GET requests with crafted SQL payloads in the objGroupID parameter to extract sensitive database information including usernames, database names, and version details.
Published: 2026-03-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach
Action: Apply Patch
AI Analysis

Impact

i-doit CMDB 1.12 exposes an unauthenticated SQL injection flaw in the objGroupID parameter. Attackers can craft GET requests that inject malicious SQL code, allowing execution of arbitrary queries. The exploit can expose sensitive information such as usernames, database names and version information, thereby compromising the confidentiality of the system's data assets.

Affected Systems

This vulnerability affects the i-doit CMDB product from I-Doit, specifically version 1.12. No other versions are listed as affected in the available information.

Risk and Exploitability

The CVSS base score of 8.8 classifies the vulnerability as high severity, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector, as described, is web‑based; an attacker can send unauthenticated HTTP GET requests to the victim's server to trigger the injection. Given the impact and the remote nature of the attack, the risk is significant even though the exploit probability is currently low.

Generated by OpenCVE AI on March 24, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade i‑doit CMDB to the latest patched release that addresses the SQL injection issue.
  • If an upgrade is not immediately possible, restrict external access to the CMDB web interface and enforce network segmentation.
  • Deploy a web application firewall or equivalent filtering to block malicious payloads targeting the objGroupID parameter.
  • Monitor web server logs for abnormal GET requests containing sql injection patterns and investigate promptly.

Generated by OpenCVE AI on March 24, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared I-doit i-doit
CPEs cpe:2.3:a:i-doit:i-doit:1.12:*:*:*:*:*:*:*
Vendors & Products I-doit i-doit

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared I-doit
I-doit doit Cmdb
Vendors & Products I-doit
I-doit doit Cmdb

Sat, 21 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the objGroupID parameter. Attackers can send GET requests with crafted SQL payloads in the objGroupID parameter to extract sensitive database information including usernames, database names, and version details.
Title i-doit CMDB 1.12 SQL Injection via objGroupID Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

I-doit Doit Cmdb I-doit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T19:55:52.869Z

Reserved: 2026-03-21T15:29:20.744Z

Link: CVE-2019-25581

cve-icon Vulnrichment

Updated: 2026-03-23T19:55:42.811Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T16:16:02.303

Modified: 2026-03-24T20:38:26.077

Link: CVE-2019-25581

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:02Z

Weaknesses