CVE-2025-54119

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-54119
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.

10.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03
https://github.com/ADOdb/ADOdb/issues/1083
https://github.com/ADOdb/ADOdb/security/advisories/GHSA-vf2r-cxg9-p7rf
Configurations

No configuration.

History

05 Aug 2025, 14:34

Type Values Removed Values Added
Summary
  • (es) ADOdb es una librería de clases de bases de datos PHP que proporciona abstracciones para realizar consultas y administrar bases de datos. En las versiones 5.22.9 y anteriores, el escape incorrecto de un parámetro de consulta puede permitir que un atacante ejecute sentencias SQL arbitrarias cuando el código que usa ADOdb se conecta a una base de datos sqlite3 e invoca los métodos metaColumns(), metaForeignKeys() o metaIndexes() con un nombre de tabla manipulado. Esto se solucionó en la versión 5.22.10. Para solucionar este problema, solo pase datos controlados al parámetro $table de los métodos metaColumns(), metaForeignKeys() y metaIndexes().

05 Aug 2025, 01:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-05 01:15

Updated : 2025-08-05 14:34

NVD link : CVE-2025-54119

Mitre link : CVE-2025-54119

CVE.ORG link : CVE-2025-54119

JSON object : View

Products Affected

No product.

CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')