A classic SQL injection flaw exists in the reset password routine of esiclivre/esiclivre, specifically in the Solicitante::resetaSenha() method. The vulnerability is triggered by the cpfcnpj parameter in the /reset/index.php script and allows an unauthenticated attacker to manipulate SQL queries to retrieve or modify sensitive data. The flaw is a straightforward injection weakness (CWE‑89) that can compromise confidentiality and potentially integrity of the underlying database. The description indicates that any attacker who can reach the reset endpoint can exploit the flaw without needing credentials, rendering the data exposure broadly available.

The affected product is esiclivre/esiclivre version 0.2.2 and all earlier releases. No specific vendor version list is supplied beyond the repository identifier, and no CNA vendor or product names are attached. Administrators should verify the exact version being deployed and confirm whether it falls within the vulnerable range. If the installation uses a newer release, the vulnerability may be mitigated by default.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score under 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, further indicating limited observed exploitation. Based on the description, the likely attack vector is a remote web request to /reset/index.php with crafted cpfcnpj input, meaning that an attacker could trigger the flaw from anywhere on the internet. Exploitation requires no special conditions beyond network reach to the web service.