Overview
A critical SQL injection vulnerability, identified as CVE-2025-64084, has been discovered in Cloudlog, an amateur radio logging software. This vulnerability affects versions 2.7.5 and earlier. An authenticated attacker can exploit this flaw to execute arbitrary SQL commands on the Cloudlog database. This article provides a detailed analysis of the vulnerability, its potential impact, and the steps required to mitigate it.
Technical Details
The vulnerability resides within the vucc_details_ajax function located in the application/controllers/Awards.php file. The code fails to properly sanitize user-supplied input from the Gridsquare POST parameter. Specifically, the Gridsquare parameter is directly concatenated into a raw SQL query within the vucc_qso_details function without proper sanitization or escaping. This allows a remote, authenticated attacker to inject malicious SQL code, leading to potential data breaches, unauthorized data modification, or even complete database compromise.
Affected code snippet (prior to patch, conceptual):
$gridsquare = $_POST['Gridsquare'];
$sql = "SELECT * FROM qso WHERE gridsquare = '" . $gridsquare . "'";
// Execute the query
As you can see, the value of $_POST['Gridsquare'] is concatenated directly into the SQL query. An attacker could provide a value like ' OR 1=1; -- to extract all data from the qso table or even modify data.
CVSS Analysis
Due to the specific nature and potential impact of this vulnerability, a CVSS score and severity level were not immediately available at the time of publication (N/A). However, given that it’s an authenticated SQL injection, it’s highly recommended to treat this as a high-severity issue. It allows a user with valid credentials to potentially gain full control over the underlying database. A CVSS score and severity are under evaluation. This section will be updated once available.
Possible Impact
The exploitation of CVE-2025-64084 could have severe consequences, including:
- Data Breach: Unauthorized access to sensitive amateur radio logging data, including callsigns, locations, and QSO details.
- Data Modification: Alteration of existing data, potentially leading to inaccurate records and operational disruptions.
- Account Takeover: In some configurations, the attacker could potentially gain access to user accounts or elevate privileges.
- Denial of Service (DoS): A crafted SQL injection payload could disrupt database operations, leading to a denial of service for legitimate users.
- Complete System Compromise: Depending on the database configuration and permissions, a successful SQL injection could potentially lead to complete system compromise.
Mitigation or Patch Steps
The recommended course of action is to immediately update Cloudlog to version 2.7.6 or later. This version contains a patch that addresses the SQL injection vulnerability by properly sanitizing the user-supplied input.
- Update Cloudlog: Upgrade to version 2.7.6 or a later stable release. You can find the latest release on the Cloudlog GitHub repository.
- Verify the Installation: After the upgrade, verify that the
Awards.phpfile has been updated with the patched code. Check that proper sanitization or parameterized queries are implemented. - Review Security Practices: As a general security practice, review your Cloudlog installation and ensure that all users follow strong password policies.
