Overview
A high-severity SQL injection vulnerability, identified as CVE-2025-13788, has been discovered in Chanjet CRM versions up to 20251106. This flaw allows a remote attacker to execute arbitrary SQL commands, potentially leading to data breaches, system compromise, and other severe consequences. The vulnerability is actively exploitable and a proof-of-concept (PoC) is publicly available. The vendor has been unresponsive to initial disclosure attempts.
Technical Details
The vulnerability exists in the /tools/upgradeattribute.php file. Specifically, the gblOrgID parameter is susceptible to SQL injection. An attacker can manipulate this parameter in a crafted request to inject malicious SQL code, allowing them to bypass security measures and interact directly with the underlying database.
The affected code segment responsible for SQL queries does not properly sanitize user-supplied input, leaving it vulnerable to SQL injection attacks. Exploitation does not require authentication, making the risk even more significant.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13788 is 7.3, indicating a HIGH severity. The CVSS vector is likely something similar to: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (Network, Low Attack Complexity, No Privileges Required, No User Interaction, Unchanged Scope, Low Confidentiality Impact, Low Integrity Impact, Low Availability Impact).
This score reflects the ease of exploitation and the potential for significant impact on the confidentiality, integrity, and availability of the affected system.
Possible Impact
Successful exploitation of this SQL injection vulnerability could result in:
- Data Breach: Access to sensitive customer data, financial records, and other confidential information stored in the CRM database.
- System Compromise: The ability to modify or delete critical data, potentially leading to application malfunction or system downtime.
- Privilege Escalation: In some cases, the attacker could use the SQL injection to gain elevated privileges within the application or even the underlying operating system.
- Denial of Service (DoS): An attacker could inject malicious code that causes the CRM system to become unresponsive.
Mitigation and Patch Steps
Unfortunately, at the time of this writing, no official patch or mitigation is available from the vendor. Given the vendor’s lack of response, immediate action is crucial. We recommend the following interim mitigation steps:
- Web Application Firewall (WAF): Implement a WAF rule to detect and block SQL injection attempts targeting the
/tools/upgradeattribute.phpendpoint and thegblOrgIDparameter. - Input Validation: If feasible, implement strict input validation on the
gblOrgIDparameter to ensure that only expected data types and formats are accepted. This may require code modifications. - Database Access Control: Restrict database access for the CRM application to the minimum necessary privileges. This limits the potential damage if an SQL injection attack is successful.
- Monitor System Logs: Closely monitor system logs for suspicious activity and potential SQL injection attempts.
- Consider Alternatives: If the risk is deemed too high and mitigation is insufficient, consider migrating to a more secure CRM solution.
Important: These are temporary workarounds. A proper fix requires a patch from the vendor. Continue to monitor for updates from Chanjet regarding this vulnerability. We will update this article as more information becomes available.
