{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8220", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-07-26T08:58:22.562Z", "datePublished": "2025-07-27T03:02:05.624Z", "dateUpdated": "2025-10-11T21:13:14.253Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-11T21:13:14.253Z"}, "title": "Engeman Web Password Recovery RecoveryPass sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Engeman", "product": "Web", "versions": [{"version": "12.0.0.0", "status": "affected"}, {"version": "12.0.0.1", "status": "affected"}, {"version": "12.0.0.2", "status": "affected"}, {"version": "12.0.0.3", "status": "unaffected"}], "modules": ["Password Recovery Page"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Engeman Web up to 12.0.0.2. The affected element is an unknown function of the file /Login/RecoveryPass of the component Password Recovery Page. The manipulation of the argument LanguageCombobox as part of Cookie leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 12.0.0.3 is sufficient to fix this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine Schwachstelle wurde in Engeman Web up to 12.0.0.2 gefunden. Es betrifft eine unbekannte Funktion der Datei /Login/RecoveryPass der Komponente Password Recovery Page. Durch Manipulieren des Arguments LanguageCombobox durch Cookie kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgef\u00fchrt werden. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden. Ein Aktualisieren auf die Version 12.0.0.3 vermag dieses Problem zu l\u00f6sen. Ein Upgrade der betroffenen Komponente wird empfohlen."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2025-07-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-07-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-07-27T00:00:00.000Z", "lang": "en", "value": "Exploit disclosed"}, {"time": "2025-10-11T23:17:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "m3m0o (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "m3m0o (VulDB User)", "type": "analyst"}], "references": [{"url": "https://vuldb.com/?id.317808", "name": "VDB-317808 | Engeman Web Password Recovery RecoveryPass sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.317808", "name": "VDB-317808 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.616747", "name": "Submit #616747 | Engeman Engeman Web <= 12.0.0.1 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/m3m0o/engeman-web-language-combobox-sqli", "tags": ["exploit"]}]}, "adp": [{"references": [{"url": "https://docs.google.com/document/d/1fbe1o3ncvmYbw-w1MKMUJg7z-qu1Wyo81y9isFlNyi0/edit?tab=t.0", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T14:59:46.376103Z", "id": "CVE-2025-8220", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T14:59:50.191Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8220", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-28T14:59:46.376103Z"}}}], "references": [{"url": "https://docs.google.com/document/d/1fbe1o3ncvmYbw-w1MKMUJg7z-qu1Wyo81y9isFlNyi0/edit?tab=t.0", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T14:59:39.647Z"}}], "cna": {"title": "Engeman Web Password Recovery RecoveryPass sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "m3m0o (VulDB User)"}, {"lang": "en", "type": "analyst", "value": "m3m0o (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "Engeman", "modules": ["Password Recovery Page"], "product": "Web", "versions": [{"status": "affected", "version": "12.0.0.0"}, {"status": "affected", "version": "12.0.0.1"}, {"status": "affected", "version": "12.0.0.2"}, {"status": "unaffected", "version": "12.0.0.3"}]}], "timeline": [{"lang": "en", "time": "2025-07-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-07-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-07-27T00:00:00.000Z", "value": "Exploit disclosed"}, {"lang": "en", "time": "2025-10-11T23:17:55.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.317808", "name": "VDB-317808 | Engeman Web Password Recovery RecoveryPass sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.317808", "name": "VDB-317808 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.616747", "name": "Submit #616747 | Engeman Engeman Web <= 12.0.0.1 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/m3m0o/engeman-web-language-combobox-sqli", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Engeman Web up to 12.0.0.2. The affected element is an unknown function of the file /Login/RecoveryPass of the component Password Recovery Page. The manipulation of the argument LanguageCombobox as part of Cookie leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 12.0.0.3 is sufficient to fix this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine Schwachstelle wurde in Engeman Web up to 12.0.0.2 gefunden. Es betrifft eine unbekannte Funktion der Datei /Login/RecoveryPass der Komponente Password Recovery Page. Durch Manipulieren des Arguments LanguageCombobox durch Cookie kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgef\u00fchrt werden. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden. Ein Aktualisieren auf die Version 12.0.0.3 vermag dieses Problem zu l\u00f6sen. Ein Upgrade der betroffenen Komponente wird empfohlen."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-11T21:13:14.253Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8220", "state": "PUBLISHED", "dateUpdated": "2025-10-11T21:13:14.253Z", "dateReserved": "2025-07-26T08:58:22.562Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-07-27T03:02:05.624Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:engeman:web:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9F14DE6-C2F9-4B85-AC49-093BFF8FF4E2", "versionEndIncluding": "12.0.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Engeman Web up to 12.0.0.2. The affected element is an unknown function of the file /Login/RecoveryPass of the component Password Recovery Page. The manipulation of the argument LanguageCombobox as part of Cookie leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 12.0.0.3 is sufficient to fix this issue. Upgrading the affected component is advised. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad clasificada como cr\u00edtica en Engeman Web hasta la versi\u00f3n 12.0.0.1. Se ve afectada una funci\u00f3n desconocida del archivo /Login/RecoveryPass del componente Password Recovery Page. La manipulaci\u00f3n del argumento LanguageCombobox provoca una inyecci\u00f3n SQL. El ataque puede ejecutarse en remoto. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Se contact\u00f3 al proveedor con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3."}], "id": "CVE-2025-8220", "lastModified": "2025-10-11T22:15:33.570", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-07-27T04:15:27.010", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/m3m0o/engeman-web-language-combobox-sqli"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.317808"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.317808"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.616747"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Permissions Required"], "url": "https://docs.google.com/document/d/1fbe1o3ncvmYbw-w1MKMUJg7z-qu1Wyo81y9isFlNyi0/edit?tab=t.0"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2025-07-29T10:01:04.894263+00:00", "updated": "2025-07-29T10:01:04.894316+00:00", "vendors": ["engeman", "engeman$PRODUCT$web"]}